What I Wanted to Do
Had email@example.com as a dependency in my package-lock.json. It was installed prior to the takeover and removal from npmjs, so it was in my cache.
I would have expected the vulnerability to be displayed when running npm audit
What Happened Instead
When running npm audit, no vulnerability showed up.
Hard to do. You need a vulnerable package that has been removed from npmjs, but still in your cache.
This bug has been reported in the yarn issue tracker too: https://github.com/yarnpkg/yarn/issues/6729
An additional point: shouldn’t, in a case like this, a new version be published, in addition to the removal of the offending release. Some of my dependencies depend on event-stream@~3.0.0. If a 3.3.7 was released in addition to the removal in 3.3.6, the package would have upgraded itself by just deleting the package-lock and doing a new npm install, instead of having to clean the cache