[BUG] Advisory IDs returned by audit have changed

[naugtur]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

There's been multiple reports of advisory ID changes here: naugtur/npm-audit-resolver#56

Advisory ID saved from earlier npm audit --json is not matching the current output.

Expected Behavior

Advisory IDs don't change.

Steps To Reproduce

1. Take a file where an advisory ID was saved in the past
2. Run npm audit --json for the same vulnerable package
3. Observe a different value

Environment

• npm: 7+
• Node.js: any
• OS Name: any

[naugtur]

Some folks were suggesting it may be related to npm advisory page now redirecting to github advisories.

IF that's the case - is there something I could use to exchange the old ID for the new one to make a one-off tool to fix the situation?

[adevine]

As one point of clarification, we are seeing the advisory IDs change frequently, i.e. I'd save a resolution file with npm-audit-resolver, then the IDs would change the next day, then I'd update the resolution file, only to have it break the next day again.

[wraithgar]

Those numbers are controlled by the npm registry itself, not the cli. Registry support should go through https://www.npmjs.com/support