npm audit false negative after npm-force-resolutions

[cronon]

Imagine in my package-lock I have a transitive dependency v1 which has vulnerability fixed in v3. If go to the package-lock and change version of the dependency to v2, which still has the vulnerability, npm audit will not raise a warning about it.

I faced that in one of my projects and managed to isolate this to the following steps:

1. Create an empty project
2. Install [email protected]
3. npm audit shows a warning about [email protected]. The problem within the package is fixed in versions 3.0.1 and 4.0.1
4. Now we want to resolve it to the version 2 with npm-force-resolutions https://github.com/rogeriochaves/npm-force-resolutions
   4.1. Install the package
   4.2. to your package.json add "resolutions": {"trim-newlines": "^2.0.0"}
   4.3 run ./node_modules/.bin/npm-force-resolutions
   4.4 (seems doesn't affect it - we can run npm ci)
5. Now run npm audit again and it finds 0 vulnerabilities. Despite both in node_modules and in package-lock we have vulnerable version

npm init --yes
npm i [email protected] npm-force-resolutions

see the warning about vulnerabilities
add "resolutions": {"trim-newlines": "^2.0.0"} to your package.json

./node_modules/.bin/npm-force-resolutions
npm ci
npm audit

see no warning here

I did it with [email protected] and similar thing happened with [email protected]

I don't really understand if it is the problem with npm-force-resolutions or with npm itself. I also opened a ticket there npm/cli#3605