[FEATURE] Turn auditing on for tertiary dependencies re: private dependencies

[mcandre]

What / Why

npm audit currently gets confused by package dependencies that are not on public NPM. This means any private wrapper libraries cause important security notices to go unseen, for the entire package subtree. Fortunately, relatively minor code changes could easily enable npm to audit these package trees as well.

Regardless of the source of the npm package, the target is always the local node_modules directory, complete with package.json details. So npm audit should in theory be able to add these entries to its scan list.

The vast majority of the package subtree should be auditable; Only the specific tree nodes off of public NPM registry would be ineligible for CVE reports.

[darcyclarke]

npm v6 is no longer in active development; We will continue to push security releases to v6 at our team's discretion as-per our Support Policy.

If your bug is reproducible on v7, please re-file this issue using our new issue template.

If your issue was a feature request, please consider opening a new RRFC or RFC. If your issue was a question or other idea that was not CLI-specific, consider opening a discussion on our feedback repo

Closing: This is an automated message.

[mcandre]

Ongoing security attacks don't care about templates.

[ljharb]

@mcandre "audits" work serverside by looking at dependencies, so a private package indeed prevents any of its deps from being audited.

If you think there are indeed minor changes that would fix this, filing an RFC - which is not on this repo - would be appropriate.

Also, what "ongoing" security attacks?