Is the lack of CVE because the implementations you wrote are better written and safer than those in the standard libraries or because no one has checked?
Well there's probably far less attack surface.
Presumably the latter. However, mindlessly bumping package versions to fix bullshit security vulnerabilities is now industry standard practice. Once your client/company reaches a certain size, you will pretty much have to do it to satisfy the demands of some sort of security/compliance jarl.
And yet npm install [package with 1000 recursieve dependencies] is not considered a supply chain risk at all to those security/compliance jarls.
Let alone having to check all licenses...