investigation

[naugtur]

Note:
To reproduce, use yarn npm audit --recursive so that all transitive dependencies are included.

What I did:

• used debugging-aid/curl to get the outgoing request as curl
• took the JSON payload
• ran a script checking if all "requires" items have matching top-level items in dependencies

$ node a.js 
required item missing string-width-cjs in @isaacs/cliui
required item missing strip-ansi-cjs in @isaacs/cliui
required item missing wrap-ansi-cjs in @isaacs/cliui
unused yarn-bug
unused is-fullwidth-code-point
unused color-convert
unused fs.realpath
unused path-is-absolute
unused inflight
unused concat-map

3 stood out - the ones below ending with -cjs are invalid. Removing them from JSON and re-running the request gets us the audit content

 "@isaacs/cliui": {
            "version": "8.0.2",
            "integrity": "79a6d72025ba009224166c16596476559af2f4825bf8a43737188dee4cc12410b9a58f7e5b80f42c07b99fd7de1134563c2c98bcd4aedd69028401d642dff4aa",
            "requires": {
                "string-width-cjs": "string-width@^4.2.0",
                "string-width": "^5.1.2",
                "strip-ansi-cjs": "strip-ansi@^6.0.1",
                "strip-ansi": "^7.0.1",
                "wrap-ansi-cjs": "wrap-ansi@^7.0.0",
                "wrap-ansi": "^8.1.0"
            },
            "dev": false
        },

Looks like they are custom resolutions for the original packages that should be virtual but end up reported.