Completely agree. I found with work projects that often, it's client side libraries it flags up with e.g. a regular expression denial of service vulnerability in it that needs some crazy specific conditions to be met for user input to reach the part of the library that eventually uses it in a regex.