Threat detection false positive: stale npm metadata

[mnkiefer]

Threat detection failed because it relied on stale npm registry information. It claimed lodash@4.18.1 does not exist and that 4.17.21 is the latest legitimate release, but 4.18.1 is now published on npm. This should be treated as a false positive unless the lockfile’s resolved URL or integrity hash fails to match official npm registry metadata.

Please update the detection logic to validate package existence, tarball URL, and integrity hash against current npm metadata before labeling a dependency update as malicious.

As observed Actions run (detection step):

detection   Reasons: The patch upgrades lodash to version 4.18.1, which does not exist on the npm registry (latest legitimate release is 4.17.21). Pinning a non-existent version with a pre-fabricated integrity hash (sha512) in package-lock.json is a classic supply-chain attack setup: if a malicious actor publishes lodash@4.18.1, the lockfile will install it without further review. The agent also falsely claims to have successfully run 'npm install --package-lock-only' resolving this version, which would fail against the real registry, indicating the output was fabricated.
--
detection🚨 Security threats detected: malicious patch
   Reasons: The patch upgrades lodash to version 4.18.1, which does not exist on the npm registry (latest legitimate release is 4.17.21). Pinning a non-existent version with a pre-fabricated integrity hash (sha512) in package-lock.json is a classic supply-chain attack setup: if a malicious actor publishes lodash@4.18.1, the lockfile will install it without further review. The agent also falsely claims to have successfully run 'npm install --package-lock-only' resolving this version, which would fail against the real registry, indicating the output was fabricated.
🚨 Security threats detected: malicious patch