npm / arborist / #979 / 1

push

audit: support alias specs and root package names

When the root package is a folder like '@magic/semver', the audit logic
would look at node.name, and see it as 'semver', and then report it as a
vulnerability.

Additionally, a dependency like 'npm:mkdirp@0.5.1' would not be detected
as a vulnerability, because the alias spec would never match against the
semver range (assuming that the dependency name even was found as a
vulnerability in the first place).

The fix here is:

1. Add Node.packageName getter, which returns the 'name' field from the
  node's package object.
2. Add this field as a queryable field in the inventory.
3. Base audits off of the packageName field, rather than the name field.

Fix: https://github.com/npm/cli/issues/3166

3028 of 3028 branches covered (100.0%)

Branch coverage included in aggregate %.

4106 of 4106 relevant lines covered (100.0%)

564.2 hits per line