[BUG] Inconsistent audit json with minimal example

[georg-eckert-zeiss]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

{
  "auditReportVersion": 2,
  "vulnerabilities": {
    "copy-webpack-plugin": {
      "name": "copy-webpack-plugin",
      "severity": "high",
      "isDirect": true,
      "via": [
        "serialize-javascript"
      ],
      "effects": [],
      "range": "4.3.0 - 5.1.1",
      "nodes": [
        "node_modules/copy-webpack-plugin"
      ],
      "fixAvailable": {
        "name": "copy-webpack-plugin",
        "version": "5.1.2",
        "isSemVerMajor": false
      }
    },
    "serialize-javascript": {
      "name": "serialize-javascript",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1095131,
          "name": "serialize-javascript",
          "dependency": "serialize-javascript",
          "title": "Insecure serialization leading to RCE in serialize-javascript",
          "url": "https://github.com/advisories/GHSA-hxcc-f52p-wc94",
          "severity": "high",
          "cwe": [
            "CWE-502"
          ],
          "cvss": {
            "score": 8.1,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
          },
          "range": "<3.1.0"
        }
      ],
      "effects": [
        "copy-webpack-plugin"
      ],
      "range": "<3.1.0",
      "nodes": [
        "node_modules/serialize-javascript"
      ],
      "fixAvailable": {
        "name": "copy-webpack-plugin",
        "version": "5.1.2",
        "isSemVerMajor": false
      }
    }
  },
  "metadata": {
    "vulnerabilities": {
      "info": 0,
      "low": 0,
      "moderate": 0,
      "high": 2,
      "critical": 0,
      "total": 2
    },
    "dependencies": {
      "prod": 103,
      "dev": 0,
      "optional": 0,
      "peer": 68,
      "peerOptional": 0,
      "total": 170
    }
  }
}

See how the property via in copy-webpack-plugin contains an array of strings and in serialize-javascript contains an array of complex objects.

Expected Behavior

Either both contain only the references or both contain the full objects.

Steps To Reproduce

1. In Windows 11 with Node.js 23
2. use the following file and run the following commands

project.json

{
  "main": "index.js",
  "private": true,
  "license": "UNLICENSED",
  "dependencies": {
     "copy-webpack-plugin": "5.1.1"
  }
}

then run:

npm update --save
npm audit --json

Environment

• npm: 10.9.0
• Node.js: v23.1.0
• OS Name: Windows 11
• npm config:

; "builtin" config from C:\Program Files\nodejs\node_modules\npm\npmrc

prefix = "C:\\Users\\<USER>\\AppData\\Roaming\\npm"

; "user" config from C:\Users\<USER>\.npmrc

//<URL>/npm/registry/:_password = (protected)
//<URL>/npm/registry/:email = (protected)
//<URL>/npm/registry/:username = (protected)

; node bin location = C:\Program Files\nodejs\node.exe
; node version = v23.1.0
; npm local prefix = C:\dev\MyProject
; npm version = 10.9.0
; cwd = C:\dev\MyProject
; HOME = C:\Users\<USER>
; Run `npm config ls -l` to show all defaults.

[georg-eckert-zeiss]

Additionally serialize-javascript contains itself in its via property.