The distributed npm package contains keys as part of the test folder.
(Container) scanning tools like Twistlock raise compliance issues, e.g.

Type:              compliance
Sev.:              high
Description:       Private keys stored in image
Found: /opt/app-root/node_modules/pem-jwk/test/priv.pem

The files are not needed for running the app in production, and could be removed as part of the container build, or within a postinstall script. Even more convenient would be to not have them included in the first place, as it might be a problem for others too.
@dannycoates are there use cases that require these files to be bundled with the released npm package? If not, I'd be happy to contribute a PR to include a files section into package.json to include only what's needed or add an .npmignore to ignore the test folder.