NPM audit uses package-lock.json to imply vulnerabilities when underlying package is upgraded in node_modules

[FahdW]

I'm opening this issue because:

• npm is crashing.
• npm is producing an incorrect install.
• npm is doing something I don't understand.
• npm is producing incorrect or undesirable behavior.
• Other (see below for feature requests):

What's going wrong?

I am running a npm audit. I am using a library that has an underlying library sshpk. If i add this library to node_modules directly it is the most up to date version and technically all vulnerabilities would be solved at that juncture. However due to some of my dependencies using an outdated version and logging in into the package-lock file it will incorrectly determine that the vulnerability is still there.

I use this library in two places. In one project i managed to get the vulnerabilities to go away using 6.1 and reinstalling the dependencies. When another project seems to continue to include it into their package-lock. And asking me to manually review this vulnerability instead.

How can the CLI team reproduce the problem?

The library in question is prometheus-gc-stats it has an sshpk underlying vulnerability.

supporting information:

• npm -v prints: 6.1.0
• node -v prints: 9.11.1
• npm config get registry prints: https://registry.npmjs.org/
• Windows, OS X/macOS, or Linux?: MacOS
• Network issues:
  • Geographic location where npm was run:
  • I use a proxy to connect to the npm registry.
  • I use a proxy to connect to the web.
  • I use a proxy when downloading Git repos.
  • I access the npm registry via a VPN
  • I don't use a proxy, but have limited or unreliable internet access.
• Container:
  • I develop using Vagrant on Windows.
  • I develop using Vagrant on OS X or Linux.
  • I develop / deploy using Docker.
  • I deploy to a PaaS (Triton, Heroku).