[Bug?]: excluding specific deprecated package doesn't work for npm audit

[b-nijhuis-innovadis]

Self-service

• I'd be willing to implement a fix

Describe the bug

I want to ignore a specific deprecated package.

I run :

yarn npm audit --recursive --all --severity info --environment production --exclude sourcemap-codec

Expected output:

➤ YN0001: No audit suggestions

Actual output:

└─ sourcemap-codec
   ├─ ID: sourcemap-codec (deprecation)
   ├─ Issue: Please use @jridgewell/sourcemap-codec instead
   ├─ Severity: moderate
   ├─ Vulnerable Versions: 1.4.8
   │ (\n)?
   │ (\n)?
   ├─ Tree Versions
   │  └─ 1.4.8
   └─ Dependents
      └─ magic-string@npm:0.25.1

To reproduce

Install sourcemap-codec directly or as peer-dependency (for example with magic-string@npm:0.25.1).

Run:

yarn npm audit --recursive --all --severity info --environment production --exclude sourcemap-codec

Environment

System:
    OS: Windows 10 10.0.22621
    CPU: (20) x64 12th Gen Intel(R) Core(TM) i7-12700H
  Binaries:
    Node: 18.18.1 - C:\Users\BASNIJ~1\AppData\Local\Temp\xfs-8011ae2b\node.CMD
    Yarn: 4.0.0 - C:\Users\BASNIJ~1\AppData\Local\Temp\xfs-8011ae2b\yarn.CMD
    npm: 9.8.1 - C:\Program Files\nodejs\npm.CMD

Additional context

No response

[jpogorzelski]

I confirm that the same happens when exclusion is done in yarnrc.yml file:

npmAuditExcludePackages:
  - "vm2"

$ yarn npm audit --all --recursive --environment=production --json

{
  "vm2": [
    {
      "id": "vm2 (deprecation)",
      "title": "The library contains critical security issues and should not be used for production! The maintenance of the project has been discontinued. Consider migrating your code to isolated-vm.",
      "severity": "moderate",
      "vulnerable_versions": "3.9.19"
    }
  ]
}

It worked well in Yarn v. 3.6.4, stopped from 4.0.0

[arcanis]

Will be fixed by #5833 - you can try it with:

yarn set version from sources --branch 5833

[jpogorzelski]

I confirm that the same happens when exclusion is done in yarnrc.yml file:

npmAuditExcludePackages:
  - "vm2"

$ yarn npm audit --all --recursive --environment=production --json

{
  "vm2": [
    {
      "id": "vm2 (deprecation)",
      "title": "The library contains critical security issues and should not be used for production! The maintenance of the project has been discontinued. Consider migrating your code to isolated-vm.",
      "severity": "moderate",
      "vulnerable_versions": "3.9.19"
    }
  ]
}

It worked well in Yarn v. 3.6.4, stopped from 4.0.0

[arcanis]

Will be fixed by #5833 - you can try it with:

yarn set version from sources --branch 5833