Zbyszek Tenerowicz

@ersel if you're running it inside an npm script, you can use it as a command `check-audit` and it resolves from dependencies. Otherwise I'd go with `npx -p npm-audit-resolver check-audit`...

I've updated the RFC and I'm working on a refactoring to separate the core features from npm-related and interactive ones. Could we agree on making `npm audit` use audit-resolve.json being...

Hi, I'm finishing the refactoring I mentioned before. My suggestion to proceed now is that `npm` (and potentially other package managers) can use the core of npm-audit-resolver to include facts...

I couldn't join the RFC meetings, because I tend to give my kid a bath at that time and it's not optional ;) I'll try next time. @ruyadorno @darcyclarke Let's...

Thanks for bringing it up @Den-dp The important difference here is audit-ci is only operating on risk levels or advisory allowlist. audit-resolve.json file is encoding precisely which items were ignored...

Thanks for mentioning compression. Although the goal is to be very explicit not to invite future occurrences, you got me thinking. The list can be compressed by putting a wildcard...

@nierob that doesn't cover when a package from your dev deps gets ignored because the vulnerable cod is obviously unreachable, but then it resurfaces as a prod dependency pulled by...

@jfaylon There's a collaboration space being set up under the OpenJS Foundation to tackle this. For now you can use https://www.npmjs.com/package/npm-audit-resolver for your vulnerability management. My team's been doing that...

> if this RFC is not reflective of a proposal, should it be closed? It's already been extremely misleading given that it's not the "real" representation of what the proposal...

BTW. I'm very near releasing a new major version of npm-audit-resolver, if anyone wants to help out. Happy to go back to discussing getting the policy check into npm cli....