npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

Where to report a vulnerability missing in the audit registry?

Where should vulnerabilities be reported to be included in the NPM registry?

For example, Electron 2.0.18 fixed CVE-2019-5786 (, and node_modules/electron/package.json reports that I have 2.0.14 installed, but npm audit does not report it. I’m not sure how to manually query the registry for all it knows about Electron to double check that the issue is on the registry side, though.

From the info on the website, it would appear this sort of thing is handled by emailing the npm security team, but for what is essentially a documentation update, it seems overkill to involve them (the security inbox should be for things that are on fire).