[RRFC] Avoid installing packages with advisories against them when possible #371
Description
Motivation ("The Why")
I'd like to be able to install a package and not have the resulting tree have any advisories that can be automatically fixed.
How
Current Behaviour
Currently it's possible for npm install to select versions that npm audit fix would switch away from. npm audit fix may flag the most recent version as insecure, necessitating a downgrade.
Desired Behaviour
npm install would apply the constraints from advisories provided by npm audit when its first selecting a version to use. When overrides as audit advisories are supported, they would also be applied during the initial install.
It would be difficult to use the current audit end points to provide this functionality without substantial overhead. I would suggest that advisories should be injected into the packument so that they're always available to the installer without having to make additional http requests.