Hello After upgrading pkg to 1.16 all my monitoring for vulnerable packages started making noise. Before pkg 1.16 "pkg audit -q" would not output anything if no packages were vulnerable, and would output one line per vulnerable package otherwise. I use this in a simple script to keep an eye on things. After pkg 1.16 it outputs the string "(null)" to stdout when no vulnerable packages are installed, meaning my monitoring now says that I have 1 vulnerable package everywhere :)
fixed in 1.16.1