I have a CI service that runs npm audit on every build and notifies if there are high-risk vulnerabilities. The strange thing is when CI reports high vulnerabilities when I run npm audit locally, it says found 0 vulnerabilities. It will find the issue in a few days...
For example, the CI reports about: CVE-2020-7774: The npm package y18n before versions 3.2.2, 4.0.1, and 5.0.5 is vulnerable to Prototype Pollution.
But on local dev env:
Both CI and local use Node 15.12.0 and npm 7.6.3.
Why is npm audit not finding the latest issues? Is there any way to force update it or something?
npm --verbose audit output:
