[BUG] npm audit doesn't show github Dependabot alerts

[Ockejanssen]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

package.json
with
"dependencies": {
"node-forge": "^0.10.0"
}

npm audit

npm audit report

node-forge <=1.2.1
Severity: moderate

Expected Behavior

CVE-2022-0122 (moderate)
CVE-2022-24773 (moderate)
CVE-2022-24772 (high)
CVE-2022-24771 (high)

The issue appears in npm 7 and npm 8. npm 6 works as expected.

Steps To Reproduce

1. In this environment...
   npm 8
2. With this config...
3. Run '...'
   npm i node-forge@^0.10.0
   npm shrinkwrap
   npm audit
4. See error...
   Only 1 moderate

Environment

• npm: 8.6.0
• Node.js: 16.14.2
• OS Name: Linux, Mac
• System Model Name:
• npm config:

; copy and paste output from `npm config ls` here

[lukekarrys]

Thanks for the report! I've tracked this down and figured out we were erroneously filtering out some advisories. This should be fixed in this week's release.

[Ockejanssen]

Is it possible that this fix will also be part of npm version 7

[ljharb]

v7 is EOL, so i doubt it.