For smaller libraries, I prefer inexact versions, but for something that's more than just a library, that's probably not a bad idea.
If a vulnerability is ever found, Github will tell us (assuming their UI improves a bit... the last time I looked into it they detected problematic packages, but did not link to the actual dep that imported it).
@pygynpm audit helps.
It gives you full dependency chains, too.
Updating ESLint will fix 4, updating gh-pages will fix 2, and BenchmarkJS just depends on an old Lodash version.
Really, none of this would be an issue if we had this (at least the ability to mark things as not affecting us).