Ability to suppress vulnerability warnings

[mhdawson]

A concrete case. One of our top level modules referenced in the ref arch depends on a module which then depends on a module.. which in terms depends on https://www.npmjs.com/package/opencollective. That module uses and old version of node-fetch that is reported as having a high vulnerability.

Looking at the module and what it does it's clearly not an issue.

@richardlau did you have any thoughts about how we might have an exclude list when you did the original work on the vulnerability checks?

[richardlau]

I didn't do the original work on the vulnerability checks, that was @aalykiot (I did fix them when the endpoint we were connecting to changed when npm and GitHub merged their databases).

Could we use something like https://www.npmjs.com/package/npm-audit-resolver? Is there anything in the pipeline from the package maintenance team?

[mhdawson]

@richardlau thanks for the clarification. I'd looked at who did recent changes and could not quite remember.

I like the suggestion to use https://www.npmjs.com/package/npm-audit-resolver. The collaboration space on that front from the package maintenance team has stalled out. Getting some hands on experience using npm-audit-resolver seems like a good thing on its own as well. The key question I guess is how/what integration with npcheck would look like.