Unclear behaviour with vulnerabilities when using cwd #38
Description
Hey!
I found unclear behaviour with vulnerabilities reporting when using cwd.
With this package.json:
{
"private": true,
"dependencies": {
"classnames": "^2.1.5",
"director": "^1.2.0",
"react": "^0.13.3",
"todomvc-app-css": "^2.0.0",
"todomvc-common": "^1.0.1"
},
"devDependencies": {
"bin-up": "^1.1.0"
}
}I do npm audit and get this output:
# npm audit report
react >=0.0.1 <0.14.0
Severity: high
Cross-Site Scripting in react - https://github.com/advisories/GHSA-hg79-j56m-fxgv
fix available via `npm audit fix --force`
Will install react@18.0.0, which is a breaking change
node_modules/react
1 high severity vulnerability
To address all issues (including breaking changes), run:
npm audit fix --forcebut when I use cwd:
await cwd(path, {
vulnerabilityStrategy: "npm",
fullLockMode: true
})I get vulnerabilities: [].
What am I doing wrong? Could you please clarify how this work?