npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

npm audit results different from GitHub security reports

GitHub is sending email reports warning about the “mem” Node.js package v4- when earlier versions of mem are present in package-log.json, including development-time dependencies. However, npm audit does not warn on this package. This presents conflicting information to Node.js users.

In general this may occur because the scans are consulting some different sources. There is an idea open about integrating them: