npm audit results different from GitHub security reports

GitHub is sending email reports warning about the “mem” Node.js package v4- when earlier versions of mem are present in package-log.json, including development-time dependencies. However, npm audit does not warn on this package. This presents conflicting information to Node.js users.

In general this may occur because the scans are consulting some different sources. There is an idea open about integrating them:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.