Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

I am using twilio@3.84.1, which is dependent on a vulnerable version of jsonwebtoken.
npm audit offers to revert to twilio@2.5.2 if I use the --force flag.

twilio@2.5.2 however, contains 11 vulnerabilities which npm fails to warn about before downgrading.

Expected Behavior

I would expect the behaviour to prefer fewer vulnerabilities (especially when 2.5.2 has 3 critical and 3 high vulnerabilities, while 3.84.1 has 1 high and 1 moderate), or at the very least warn of existing vulnerabilities in the offered version.

Steps To Reproduce

1. npm init
2. npm i twilio@3.84.1
3. npm audit
4. npm audit fix --force

Environment

• npm: 9.3.1
• Node.js: 16.19.0
• OS Name: Windows 10 Pro 10.0.19044
• System Model Name: HP EliteDesk 800 G4 DM 65W
• npm config:

; "builtin" config from C:\Program Files\nodejs\node_modules\npm\npmrc

prefix = "C:\\Users\\Ldar\\AppData\\Roaming\\npm"

; node bin location = C:\Program Files\nodejs\node.exe
; node version = v16.19.0
; npm local prefix = C:\Users\Ldar\Documents\Code\sample-project
; npm version = 9.3.1
; cwd = C:\Users\Ldar\Documents\Code\sample-project
; HOME = C:\Users\Ldar
; Run `npm config ls -l` to show all defaults.