Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

Running npm audit (seemingly) always exists with a 0 exit code, even if a vulnerability is found (with a severity higher than configured by the audit-level).

In contrast, npm@8.15.0 (node@18.7.0) exits with a 1 if a vulnerability is found (with a severity higher than configured by the audit-level).

Expected Behavior

Per the Exit Code section:

[...]

If vulnerabilities were found the exit code will depend on the audit-level config.

Steps To Reproduce

1. Clone https://github.com/ericcornelissen/shescape/tree/dbaa0fd36af4fd0439af87548ce710468f25cb18
2. Run npm audit
3. Observe a warning for (at least) the high severity vulnerability GHSA-9c47-m6qq-7p4h
4. Run echo $?
5. Observe a 0 being printed

Environment

• npm: 9.6.5
• Node.js: v20.0.0
• OS Name: Ubuntu 22.04.2 LTS
• System Model Name: custom
• npm config:

; "user" config from ~/.npmrc update-notifier = false ; "project" config from ~/workspace/shescape/.npmrc lockfile-version = "3" save-exact = true save-prefix = "" ; node bin location = ~/.nvm/versions/node/v20.0.0/bin/node ; node version = v20.0.0 ; npm local prefix = ~/Documents/workspace/shescape ; npm version = 9.6.5 ; cwd = ~/Documents/workspace/shescape ; HOME = ~ ; Run `npm config ls -l` to show all defaults.