Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

when having a version of package with a known CVE installed gives:
found 0 vulnerabilities

related issue found with yarn audit: yarnpkg/yarn#9054

Expected Behavior

Should at least fins some vulnerabilities...

Steps To Reproduce

• npm create vite@latest
• create with any template.
• cd
• Install express at exakt version 4.14.0, add: "express": "4.14.0" to package.json
• npm i
• npm audit

Should find this: GHSA-rv95-896h-c2vc

Environment

• npm: 10.6.0
• Node.js: v20.11.0, but gives the same results on other versions...
• OS Name: Mac and Ubuntu
• npm config:

; node bin location = /Users/.../.nvm/versions/node/v20.11.0/bin/node
; node version = v20.11.0
; npm local prefix = /Users/.../test-npm-audit
; npm version = 10.2.4
; cwd = /Users/.../test-npm-audit
; HOME = /Users/...
; Run `npm config ls -l` to show all defaults.

duplicate: #7445