Where should vulnerabilities be reported to be included in the NPM registry?
For example, Electron 2.0.18 fixed
CVE-2019-5786 (https://electronjs.org/blog/filereader-fix), and
node_modules/electron/package.json reports that I have 2.0.14 installed, but
npm audit does not report it. I’m not sure how to manually query the registry for all it knows about Electron to double check that the issue is on the registry side, though.
From the info on the website, it would appear this sort of thing is handled by emailing the npm security team, but for what is essentially a documentation update, it seems overkill to involve them (the security inbox should be for things that are on fire).