It's true that you can satisfy the audit just by running dependency scans and updating the ones that come back vulnerable. Unfortunately, in a lot of ecosystems, that ends up looking the same as keeping all your libraries updated.

You can instead document exceptions for why all those vulnerabilities doesn't apply to your app, but that's sometimes more trouble.