npm audit check mostly important thing is advisories list. Auditing policy can be different and can be more specific in different projects.
For example: we have locally published packages with vulnerabilities in dependencies. And we want to check all dependencies with advisories list.
npm audit command wouldn’t show all of vulnerabilities. But we can change this behavior locally and check versions of packages with usage of dependencies tree and advisories list. Additionally we can extend advisories list with own items for local packages.
Open source is cool and it would be excellent to get actual list of advisories (https://www.npmjs.com/advisories with header
x-spiferack = 1). It could be done like the
caniuse-db package. New patches could be published as soon as new advisory had been added to the list.