In order to force devs to update vulnerabilities more often we wanted to add npm audit to a pre-push hook. We thought this would cut down on the number of dependabot alerts too.
However, while dependabot is still raising PRs to our repos npm audit says everything is fine.
It was my understanding that they both read from the same database now: https://github.blog/2021-10-07-github-advisory-database-now-powers-npm-audit/
Why isn't npm audit returning vulnerabilities when dependabot is?
