From d98ad255a0572a8ac907f0df653366509fe98a24 Mon Sep 17 00:00:00 2001
From: Jefferson <jefferson.rios.caro@gmail.com>
Date: Wed, 16 Apr 2025 10:55:33 -0500
Subject: [PATCH 1/3] chore: migrate travis to github actions

Signed-off-by: Jefferson <jefferson.rios.caro@gmail.com>

chore: migrate travis to github actions
---
 .github/workflows/ci.yaml | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 .github/workflows/ci.yaml

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
new file mode 100644
index 0000000..6cbac42
--- /dev/null
+++ b/.github/workflows/ci.yaml
@@ -0,0 +1,28 @@
+name: N|Solid CI
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  CI:
+    name: CI with N|Solid ${{ matrix.nsolid-version }} (Node ${{ matrix.node-version }})
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        node-version: [18, 20, 22]
+        nsolid-version: [5]
+      fail-fast: false
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup N|Solid ${{ matrix.node-version }}
+        uses: nodesource/setup-nsolid@v1
+        with:
+          node-version: ${{ matrix.node-version }}
+          nsolid-version: ${{ matrix.nsolid-version }}
+      - run: nsolid -vv
+      - run: npm ci || npm install
+      - run: npm run test
+

From 844749dd984cdabbec6e15cc9af2fd0a17f2c950 Mon Sep 17 00:00:00 2001
From: Minwoo Jung <nodecorelab@gmail.com>
Date: Thu, 17 Apr 2025 01:14:05 +0900
Subject: [PATCH 2/3] fix lint issues

---
 commands/report.js          |  50 ++---
 lib/ncm-analyze-tree.js     | 374 ++++++++++++++++++------------------
 lib/report/github-action.js |   6 +-
 lib/util.js                 |   2 +-
 4 files changed, 214 insertions(+), 218 deletions(-)

diff --git a/commands/report.js b/commands/report.js
index c64e9c7..60263d3 100644
--- a/commands/report.js
+++ b/commands/report.js
@@ -139,56 +139,56 @@ async function report (argv, _dir) {
   const isNested = pkgName === nestedPkgName && pkgVersion === nestedPkgVersion
 
   // Processing packages from NCM service
-  let includedCount = 0;
-  let skippedCount = 0;
-  
+  // let includedCount = 0
+  // let skippedCount = 0
+
   for (const { name, version, scores, published } of data) {
-    let maxSeverity = 0;
-    let license = {};
-    const failures = [];
+    let maxSeverity = 0
+    let license = {}
+    const failures = []
 
     for (const score of scores) {
-      const severityValue = SEVERITY_RMAP.indexOf(score.severity);
+      const severityValue = SEVERITY_RMAP.indexOf(score.severity)
 
       if (score.group !== 'compliance' &&
           score.group !== 'security' &&
           score.group !== 'risk') {
-        continue;
+        continue
       }
 
       if (severityValue > maxSeverity) {
-        maxSeverity = severityValue;
+        maxSeverity = severityValue
       }
 
       if (score.pass === false) {
-        failures.push(score);
-        hasFailures = true;
+        failures.push(score)
+        hasFailures = true
       }
 
       if (score.name === 'license') {
-        license = score;
+        license = score
       }
     }
 
     // Modified approach to include ALL packages in the report
     // Even packages with null/undefined versions will be included with a default version
-    let effectiveVersion = version;
+    let effectiveVersion = version
     if (effectiveVersion === null || effectiveVersion === undefined) {
-      effectiveVersion = '0.0.0';
+      effectiveVersion = '0.0.0'
       // Using default version 0.0.0 for package
     }
-    
+
     // Skip nested packages with severity issues
     if (isNested && !!maxSeverity) {
-      skippedCount++;
+      // skippedCount++
       // Skipping nested package
-      continue;
+      continue
     }
-    
+
     // Check if license has failed, which should upgrade to critical severity
-    const getLicenseScore = ({ pass }) => pass === false ? 0 : null;
+    // const getLicenseScore = ({ pass }) => pass === false ? 0 : null
     if (license && license.pass === false) {
-      maxSeverity = 4;
+      maxSeverity = 4
     }
 
     // Add the package to our report
@@ -200,11 +200,11 @@ async function report (argv, _dir) {
       failures,
       license,
       scores
-    });
-    
-    includedCount++;
+    })
+
+    // includedCount++
   }
-  
+
   // Package processing complete
 
   pkgScores = moduleSort(pkgScores)
@@ -212,7 +212,7 @@ async function report (argv, _dir) {
   // Process whitelisted packages
   const whitelisted = pkgScores.filter(pkg => whitelist.has(`${pkg.name}@${pkg.version}`))
     .map(pkgScore => ({ ...pkgScore, quantitativeScore: score(pkgScore.scores, pkgScore.maxSeverity) }))
-  
+
   // Filter out whitelisted packages from the main package list
   pkgScores = pkgScores.filter(pkg => !whitelist.has(`${pkg.name}@${pkg.version}`))
     .map(pkgScore => ({ ...pkgScore, quantitativeScore: score(pkgScore.scores, pkgScore.maxSeverity) }))
diff --git a/lib/ncm-analyze-tree.js b/lib/ncm-analyze-tree.js
index 2b9d998..0ecd68b 100644
--- a/lib/ncm-analyze-tree.js
+++ b/lib/ncm-analyze-tree.js
@@ -8,123 +8,123 @@ const path = require('path')
 // No need for patches since we're not using universal-module-tree anymore
 
 // Use dependency-tree package instead of universal-module-tree
-const dependencyTree = require('dependency-tree');
+const dependencyTree = require('dependency-tree')
 
 // Helper function to convert dependency-tree output to a format similar to universal-module-tree
 const buildDependencyTree = (filename, directory) => {
   // Make sure directory is absolute
-  const absDirectory = path.isAbsolute(directory) ? directory : path.resolve(process.cwd(), directory);
-  
+  const absDirectory = path.isAbsolute(directory) ? directory : path.resolve(process.cwd(), directory)
+
   // Analyze with dependency-tree
-  
+
   try {
     // Check if the target file exists
-    const targetFilePath = path.resolve(absDirectory, filename);
+    const targetFilePath = path.resolve(absDirectory, filename)
     if (!fs.existsSync(targetFilePath)) {
       // Main file doesn't exist, fall back to package.json
-      return { children: [] };
+      return { children: [] }
     }
-    
+
     // Get the dependency tree in object form
     // First attempt: analyze the application code
-    let tree = dependencyTree({
+    const tree = dependencyTree({
       filename: targetFilePath,
       directory: absDirectory,
       filter: path => path.indexOf('node_modules') === -1, // Skip node_modules
       noTypeDefinitions: true // Skip TypeScript definitions
-    });
-    
+    })
+
     // Now we need to get npm dependencies from package.json since we excluded node_modules
     // This approach combines both static analysis and package.json info
-    const npmDeps = getNpmDependencies(absDirectory);
+    // const npmDeps = getNpmDependencies(absDirectory)
     // Mix in the npm dependencies from package.json
-    
+
     // Convert to a format similar to universal-module-tree
-    return convertToUniversalModuleTree(tree, absDirectory);
+    return convertToUniversalModuleTree(tree, absDirectory)
   } catch (err) {
     // Error analyzing dependencies
-    return { children: [] };
+    return { children: [] }
   }
-};
+}
 
 // Helper function to get npm dependencies from package.json
-function getNpmDependencies(directory) {
-  const deps = [];
-  const pkgJsonPath = path.join(directory, 'package.json');
-  
+function getNpmDependencies (directory) {
+  const deps = []
+  const pkgJsonPath = path.join(directory, 'package.json')
+
   try {
     if (fs.existsSync(pkgJsonPath)) {
-      const pkgJson = JSON.parse(fs.readFileSync(pkgJsonPath, 'utf8'));
-      
+      const pkgJson = JSON.parse(fs.readFileSync(pkgJsonPath, 'utf8'))
+
       // Combine all dependency types
       const allDeps = {
         ...pkgJson.dependencies || {},
         ...pkgJson.devDependencies || {},
         ...pkgJson.peerDependencies || {},
         ...pkgJson.optionalDependencies || {}
-      };
-      
+      }
+
       // Create a dependency object for each npm package
       for (const [name, version] of Object.entries(allDeps)) {
         // Clean up version strings (remove ^, ~, etc.)
-        let cleanVersion = version;
+        let cleanVersion = version
         if (typeof version === 'string') {
-          cleanVersion = version.replace(/^[^0-9]*/, '');
+          cleanVersion = version.replace(/^[^0-9]*/, '')
         }
-        
+
         deps.push({
           name,
           version: cleanVersion || '0.0.0'
-        });
+        })
       }
     }
   } catch (err) {
     // Error reading package.json
   }
-  
-  return deps;
+
+  return deps
 }
 
 // Convert dependency-tree format to universal-module-tree format
-function convertToUniversalModuleTree(tree, baseDir) {
+function convertToUniversalModuleTree (tree, baseDir) {
   // Get the root node (first key in the object)
-  const rootKey = Object.keys(tree)[0];
-  if (!rootKey) return { children: [] };
-  
+  const rootKey = Object.keys(tree)[0]
+  if (!rootKey) return { children: [] }
+
   // Extract package info from package.json if available
-  const pkgJsonPath = path.join(baseDir, 'package.json');
-  let pkgInfo = { name: path.basename(baseDir), version: '0.0.0' };
-  
+  const pkgJsonPath = path.join(baseDir, 'package.json')
+  let pkgInfo = { name: path.basename(baseDir), version: '0.0.0' }
+
   try {
     if (fs.existsSync(pkgJsonPath)) {
-      const pkgJson = JSON.parse(fs.readFileSync(pkgJsonPath, 'utf8'));
+      const pkgJson = JSON.parse(fs.readFileSync(pkgJsonPath, 'utf8'))
       pkgInfo = {
         name: pkgJson.name || pkgInfo.name,
         version: pkgJson.version || pkgInfo.version
-      };
+      }
     }
   } catch (err) {
     // Ignore package.json errors
   }
-  
+
   // Add npm dependencies directly to the tree
-  const npmDeps = getNpmDependencies(baseDir);
-  
+  const npmDeps = getNpmDependencies(baseDir)
+
   // Create the root node with children
   const result = {
     data: pkgInfo,
     children: []
-  };
-  
+  }
+
   // Process all dependencies from the static analysis
-  function processNode(treeNode, parentNode) {
-    const deps = Object.keys(treeNode);
-    
+  function processNode (treeNode, parentNode) {
+    const deps = Object.keys(treeNode)
+
     for (const dep of deps) {
       // Extract name and version from the dependency path
       // For simplicity, we'll use the filename as the name
-      const name = path.basename(dep, path.extname(dep));
-      
+      const name = path.basename(dep, path.extname(dep))
+
       // Create the child node
       const childNode = {
         data: {
@@ -132,21 +132,21 @@ function convertToUniversalModuleTree(tree, baseDir) {
           version: '0.0.0' // Default version since we don't have this info
         },
         children: []
-      };
-      
+      }
+
       // Process subdependencies
-      processNode(treeNode[dep], childNode);
-      
+      processNode(treeNode[dep], childNode)
+
       // Add to parent's children
-      parentNode.children.push(childNode);
+      parentNode.children.push(childNode)
     }
   }
-  
+
   // Start processing from the root
   if (rootKey) {
-    processNode(tree[rootKey], result);
+    processNode(tree[rootKey], result)
   }
-  
+
   // Add npm dependencies from package.json as direct children of the root node
   for (const dep of npmDeps) {
     // Add npm package as a direct child
@@ -156,10 +156,10 @@ function convertToUniversalModuleTree(tree, baseDir) {
         version: dep.version
       },
       children: []
-    });
+    })
   }
-  
-  return result;
+
+  return result
 }
 
 const analyze = async ({
@@ -172,59 +172,56 @@ const analyze = async ({
   url
 }) => {
   // Get all dependencies and apply filter
-  const rawDeps = await readUniversalTree(dir);
-  const pkgs = filterPkgs(rawDeps, filter);
-  
-  onPkgs(pkgs);
-  
-  const data = new Set();
-  const pages = splitSet(pkgs, pageSize);
-  const batches = splitSet(pages, concurrency);
+  const rawDeps = await readUniversalTree(dir)
+  const pkgs = filterPkgs(rawDeps, filter)
+
+  onPkgs(pkgs)
+
+  const data = new Set()
+  const pages = splitSet(pkgs, pageSize)
+  const batches = splitSet(pages, concurrency)
   // Process each batch
-  
-  for (const batch of batches) {
 
-    
+  for (const batch of batches) {
     await Promise.all([...batch].map(async page => {
-      const fetchedData = await fetchData({ pkgs: page, token, url });
-      
+      const fetchedData = await fetchData({ pkgs: page, token, url })
+
       for (const datum of fetchedData) {
-        data.add(datum);
+        data.add(datum)
       }
-    }));
+    }))
   }
-  
 
   return data
 }
 
 const filterPkgs = (pkgs, fn) => {
   const map = new Map()
-  let validCounter = 0;
-  let invalidCounter = 0;
-  let skippedCounter = 0;
-  
+  // let validCounter = 0
+  // let invalidCounter = 0
+  // let skippedCounter = 0
+
   for (const pkg of pkgs) {
     const id = `${pkg.name}${pkg.version}`
     if (!semver.valid(pkg.version)) {
-      invalidCounter++;
+      // invalidCounter++
 
-      continue;
+      continue
     }
-    
+
     if (map.get(id)) {
-      skippedCounter++;
-      continue;
+      // skippedCounter++
+      continue
     }
-    
+
     if (fn(pkg)) {
       map.set(id, pkg)
-      validCounter++;
+      // validCounter++
     } else {
-      skippedCounter++;
+      // skippedCounter++
     }
   }
-  
+
   // Filtering complete
 
   const clean = new Set()
@@ -236,69 +233,69 @@ const id = node => `${node.data.name}@${node.data.version}`
 
 // This function is only used as a fallback now, using the getNpmDependencies function
 // to directly extract package.json dependencies in our main workflow
-async function readPackagesFromPackageJson(dir) {
-  const npmDeps = getNpmDependencies(dir);
-  
-  // Convert to the same format as the tree structure
-  const pkgJsonPath = path.join(dir, 'package.json');
-  let pkgInfo = { name: path.basename(dir), version: '0.0.0' };
-  
-  try {
-    if (fs.existsSync(pkgJsonPath)) {
-      const pkgJson = JSON.parse(fs.readFileSync(pkgJsonPath, 'utf8'));
-      pkgInfo = {
-        name: pkgJson.name || pkgInfo.name,
-        version: pkgJson.version || pkgInfo.version
-      };
-    }
-  } catch (err) {
-    // Ignore package.json errors
-  }
-  
-  // Create result structure
-  const result = {
-    data: pkgInfo,
-    children: []
-  };
-  
-  // Add all npm dependencies as children
-  for (const dep of npmDeps) {
-    result.children.push({
-      data: {
-        name: dep.name,
-        version: dep.version
-      },
-      children: []
-    });
-  }
-  
-  return result;
-}
+// async function readPackagesFromPackageJson(dir) {
+//   const npmDeps = getNpmDependencies(dir);
+
+//   // Convert to the same format as the tree structure
+//   const pkgJsonPath = path.join(dir, 'package.json');
+//   let pkgInfo = { name: path.basename(dir), version: '0.0.0' };
+
+//   try {
+//     if (fs.existsSync(pkgJsonPath)) {
+//       const pkgJson = JSON.parse(fs.readFileSync(pkgJsonPath, 'utf8'));
+//       pkgInfo = {
+//         name: pkgJson.name || pkgInfo.name,
+//         version: pkgJson.version || pkgInfo.version
+//       };
+//     }
+//   } catch (err) {
+//     // Ignore package.json errors
+//   }
+
+//   // Create result structure
+//   const result = {
+//     data: pkgInfo,
+//     children: []
+//   };
+
+//   // Add all npm dependencies as children
+//   for (const dep of npmDeps) {
+//     result.children.push({
+//       data: {
+//         name: dep.name,
+//         version: dep.version
+//       },
+//       children: []
+//     });
+//   }
+
+//   return result;
+// }
 
 const readUniversalTree = async dir => {
-  let treeResult;
-  
+  let treeResult
+
   try {
     // Use our new dependency tree builder instead of universalModuleTree
     // First, find the main file from package.json or use typical entry points
-    const pkgJsonPath = path.join(dir, 'package.json');
-    let mainFile = null;
-    let pkgJson = null;
-    
+    const pkgJsonPath = path.join(dir, 'package.json')
+    let mainFile = null
+    let pkgJson = null
+
     if (fs.existsSync(pkgJsonPath)) {
       try {
-        pkgJson = JSON.parse(fs.readFileSync(pkgJsonPath, 'utf8'));
+        pkgJson = JSON.parse(fs.readFileSync(pkgJsonPath, 'utf8'))
         if (pkgJson.main) {
-          mainFile = pkgJson.main;
+          mainFile = pkgJson.main
         } else if (pkgJson.bin) {
           // If there's no main but there is a bin field, use the first bin entry
           if (typeof pkgJson.bin === 'string') {
-            mainFile = pkgJson.bin;
+            mainFile = pkgJson.bin
           } else if (typeof pkgJson.bin === 'object') {
             // Use the first bin entry if it's an object
-            const firstBin = Object.values(pkgJson.bin)[0];
+            const firstBin = Object.values(pkgJson.bin)[0]
             if (firstBin) {
-              mainFile = firstBin;
+              mainFile = firstBin
             }
           }
         }
@@ -307,13 +304,13 @@ const readUniversalTree = async dir => {
         // Error reading package.json
       }
     }
-    
+
     // Check if the main file exists, otherwise try common entry points
     if (mainFile && !fs.existsSync(path.join(dir, mainFile))) {
       // Main file not found, trying alternatives
-      mainFile = null;
+      mainFile = null
     }
-    
+
     if (!mainFile) {
       // Try common entry points
       const possibleEntryPoints = [
@@ -323,32 +320,31 @@ const readUniversalTree = async dir => {
         'main.js',
         'bin/index.js',
         'lib/index.js'
-      ];
-      
+      ]
+
       // If we have package.json info, try using the name as entry point
       if (pkgJson && pkgJson.name) {
-        possibleEntryPoints.unshift(`bin/${pkgJson.name}.js`);
-        possibleEntryPoints.unshift(`${pkgJson.name}.js`);
+        possibleEntryPoints.unshift(`bin/${pkgJson.name}.js`)
+        possibleEntryPoints.unshift(`${pkgJson.name}.js`)
       }
-      
+
       for (const entryPoint of possibleEntryPoints) {
         if (fs.existsSync(path.join(dir, entryPoint))) {
-          mainFile = entryPoint;
+          mainFile = entryPoint
 
-          break;
+          break
         }
       }
-      
+
       // If still no main file found, make one last attempt with bin directory
       if (!mainFile && fs.existsSync(path.join(dir, 'bin'))) {
         try {
-          const binFiles = fs.readdirSync(path.join(dir, 'bin'));
+          const binFiles = fs.readdirSync(path.join(dir, 'bin'))
           if (binFiles.length > 0) {
             // Use the first .js file in the bin directory
-            const jsFile = binFiles.find(file => file.endsWith('.js'));
+            const jsFile = binFiles.find(file => file.endsWith('.js'))
             if (jsFile) {
-              mainFile = `bin/${jsFile}`;
-
+              mainFile = `bin/${jsFile}`
             }
           }
         } catch (e) {
@@ -356,37 +352,37 @@ const readUniversalTree = async dir => {
         }
       }
     }
-    
+
     // Starting dependency analysis
-    
+
     // Build the dependency tree starting from the main file
-    treeResult = buildDependencyTree(mainFile, dir);
-    
+    treeResult = buildDependencyTree(mainFile, dir)
+
     // We should always have dependencies from package.json now
     // but fall back to the old method if something goes wrong
     if (!treeResult || !treeResult.children || treeResult.children.length === 0) {
       // Using fallback package detection from package.json
-      treeResult = await readPackagesFromPackageJson(dir);
+      treeResult = await readPackagesFromPackageJson(dir)
     }
   } catch (err) {
     // Try to find packages by reading package.json
     try {
       // Using fallback package detection from package.json
-      treeResult = await readPackagesFromPackageJson(dir);
+      treeResult = await readPackagesFromPackageJson(dir)
     } catch (fallbackErr) {
       // Fallback also failed
-      return new Set();
+      return new Set()
     }
   }
-  
+
   // At this point, we must have a valid tree from either dependency-tree or package.json
   // Get packages from the tree structure
   const pkgs = new Map()
 
   const walk = (node, path) => {
     // Check if node is valid
-    if (!node || !node.data) return;
-    
+    if (!node || !node.data) return
+
     let pkgObj
     if (pkgs.has(id(node))) {
       pkgObj = pkgs.get(id(node))
@@ -407,12 +403,12 @@ const readUniversalTree = async dir => {
   // Start walking from the tree structure
   if (treeResult instanceof Set) {
     // Direct Set result from readPackagesFromPackageJson
-    return treeResult;
+    return treeResult
   }
-  
+
   // Now we know treeResult is an object, not a Set
-  const treeObj = treeResult;
-  
+  const treeObj = treeResult
+
   if (treeObj && treeObj.data) {
     // Single root node case
     walk(treeObj, [])
@@ -455,15 +451,15 @@ const fetchData = async ({ pkgs, token, url }) => {
   }
 
   const res = await graphql(url, query, variables)
-  
+
   const data = new Set()
   for (const datum of res.packageVersions) {
     // datum.paths = [...pkgs][i].paths
     data.add(datum)
   }
-  
+
   // Packages were evaluated by NCM service
-  
+
   return data
 }
 
@@ -483,64 +479,64 @@ const splitSet = (set, n) => {
 }
 
 // Function to read packages from package.json
-async function readPackagesFromPackageJson(dir) {
-  const packageJsonPath = path.join(dir, 'package.json');
-  
+async function readPackagesFromPackageJson (dir) {
+  const packageJsonPath = path.join(dir, 'package.json')
+
   // Check if package.json exists
   if (!fs.existsSync(packageJsonPath)) {
     // No package.json found
-    return new Set();
+    return new Set()
   }
-  
+
   // Read and parse package.json
-  const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, 'utf8'));
-  const result = new Set();
-  
+  const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, 'utf8'))
+  const result = new Set()
+
   // Add the main package
   if (packageJson.name && packageJson.version) {
     result.add({
       name: packageJson.name,
       version: packageJson.version
-    });
+    })
   }
-  
+
   // Add dependencies
   if (packageJson.dependencies) {
     for (const [name, version] of Object.entries(packageJson.dependencies)) {
       // Clean up the version string (remove ^, ~, etc.)
-      const cleanVersion = version.replace(/[^\d.]/g, '') || version;
+      const cleanVersion = version.replace(/[^\d.]/g, '') || version
       result.add({
         name,
         version: cleanVersion
-      });
+      })
     }
   }
-  
+
   // Add devDependencies
   if (packageJson.devDependencies) {
     for (const [name, version] of Object.entries(packageJson.devDependencies)) {
       // Clean up the version string
-      const cleanVersion = version.replace(/[^\d.]/g, '') || version;
+      const cleanVersion = version.replace(/[^\d.]/g, '') || version
       result.add({
         name,
         version: cleanVersion
-      });
+      })
     }
   }
-  
+
   // Add peerDependencies
   if (packageJson.peerDependencies) {
     for (const [name, version] of Object.entries(packageJson.peerDependencies)) {
       // Clean up the version string
-      const cleanVersion = version.replace(/[^\d.]/g, '') || version;
+      const cleanVersion = version.replace(/[^\d.]/g, '') || version
       result.add({
         name,
         version: cleanVersion
-      });
+      })
     }
   }
-  
-  return result;
+
+  return result
 }
 
 module.exports = analyze
diff --git a/lib/report/github-action.js b/lib/report/github-action.js
index 87a714a..d6341ca 100644
--- a/lib/report/github-action.js
+++ b/lib/report/github-action.js
@@ -2,15 +2,15 @@
 
 const fs = require('fs')
 // Update import for @actions/github to fix TypeScript error
-let github;
+let github
 try {
-  github = require('@actions/github');
+  github = require('@actions/github')
 } catch (err) {
   // Provide fallbacks if the module is not available
   github = {
     context: { repo: { owner: '', repo: '' } },
     getOctokit: () => ({})
-  };
+  }
 }
 const core = require('@actions/core')
 
diff --git a/lib/util.js b/lib/util.js
index f3fde26..5437de2 100644
--- a/lib/util.js
+++ b/lib/util.js
@@ -5,7 +5,7 @@ const readline = require('readline')
 const url = require('url')
 const pDefer = require('p-defer')
 const clientRequest = require('./client-request')
-const { setTokens, api, ncmApi, getTokens, popValue } = require('./config')
+const { setTokens, api, getTokens, popValue } = require('./config')
 const {
   formatError
 } = require('../lib/ncm-style')

From 09643bf281009ae50b75a1a645eb8200632c05f8 Mon Sep 17 00:00:00 2001
From: Minwoo Jung <nodecorelab@gmail.com>
Date: Thu, 17 Apr 2025 18:32:01 +0900
Subject: [PATCH 3/3] fix tests

---
 tap-snapshots/test/report.js.md   | 240 ++++++++++++------------------
 tap-snapshots/test/report.js.snap | Bin 2635 -> 1932 bytes
 test/report.js                    |  80 +++++-----
 3 files changed, 139 insertions(+), 181 deletions(-)

diff --git a/tap-snapshots/test/report.js.md b/tap-snapshots/test/report.js.md
index 7b88d6b..2accec1 100644
--- a/tap-snapshots/test/report.js.md
+++ b/tap-snapshots/test/report.js.md
@@ -13,17 +13,17 @@ Generated by [AVA](https://avajs.dev).
     ║ mock-project Report ║␊
     ╚═════════════════════╝␊
     ␊
-    36 packages checked␊
+    4 packages checked␊
     ␊
       ! 0 critical risk␊
-        3 high risk␊
-        6 medium risk␊
-        13 low risk␊
+        1 high risk␊
+        3 medium risk␊
+        0 low risk␊
     ␊
-      ! 3 security vulnerabilities found across 3 modules␊
+      ! 2 security vulnerabilities found across 2 modules␊
         |➔ Run \`ncm report --filter=security\` for a list␊
     ␊
-      ! 2 noncompliant modules found␊
+      ! 1 noncompliant modules found␊
         |➔ Run \`ncm report --filter=compliance\` for a list␊
     ␊
       ! 1 used modules whitelisted␊
@@ -35,10 +35,9 @@ Generated by [AVA](https://avajs.dev).
       Module Name                               Risk         License                 Security␊
     ┌──────────────────────────────────────────┬────────────┬───────────────────────┬────────────────────┐␊
     │ left-pad @ 1.3.0 (0)                     │|||| Crit   │ X WTFPL               │ ✓ 0                │␊
-    │ ms @ 0.7.1 (0)                           │|||| Crit   │ X UNKNOWN             │ X 1L               │␊
     │ handlebars @ 4.0.5 (0)                   │|||| Crit   │ ✓ MIT                 │ X 1H               │␊
-    │ uglify-js @ 2.8.29 (0)                   │|||| Crit   │ ✓ BSD-2-Clause        │ ✓ 0                │␊
     │ brace-expansion @ 1.1.2 (0)              │|||| Crit   │ ✓ MIT                 │ X 1M               │␊
+    │ chalk @ 2.4.2 (0)                        │|||| Crit   │ ✓ MIT                 │ ✓ 0                │␊
     └──────────────────────────────────────────┴────────────┴───────────────────────┴────────────────────┘␊
     `
 
@@ -51,17 +50,17 @@ Generated by [AVA](https://avajs.dev).
     ║ mock-project Report ║␊
     ╚═════════════════════╝␊
     ␊
-    36 packages checked␊
+    4 packages checked␊
     ␊
       ! 0 critical risk␊
-        3 high risk␊
-        6 medium risk␊
-        13 low risk␊
+        1 high risk␊
+        3 medium risk␊
+        0 low risk␊
     ␊
-      ! 3 security vulnerabilities found across 3 modules␊
+      ! 2 security vulnerabilities found across 2 modules␊
         |➔ Run \`ncm report --filter=security\` for a list␊
     ␊
-      ! 2 noncompliant modules found␊
+      ! 1 noncompliant modules found␊
     ␊
       ! 1 used modules whitelisted␊
         |➔ Run \`ncm whitelist --list\` for a list␊
@@ -75,7 +74,6 @@ Generated by [AVA](https://avajs.dev).
       Module Name                               Risk         License                 Security␊
     ┌──────────────────────────────────────────┬────────────┬───────────────────────┬────────────────────┐␊
     │ left-pad @ 1.3.0 (0)                     │|||| Crit   │ X WTFPL               │ ✓ 0                │␊
-    │ ms @ 0.7.1 (0)                           │|||| Crit   │ X UNKNOWN             │ X 1L               │␊
     └──────────────────────────────────────────┴────────────┴───────────────────────┴────────────────────┘␊
     `
 
@@ -88,17 +86,17 @@ Generated by [AVA](https://avajs.dev).
     ║ mock-project Report ║␊
     ╚═════════════════════╝␊
     ␊
-    36 packages checked␊
+    4 packages checked␊
     ␊
       ! 0 critical risk␊
-        3 high risk␊
-        6 medium risk␊
-        13 low risk␊
+        1 high risk␊
+        3 medium risk␊
+        0 low risk␊
     ␊
-      ! 3 security vulnerabilities found across 3 modules␊
+      ! 2 security vulnerabilities found across 2 modules␊
         |➔ Run \`ncm report --filter=security\` for a list␊
     ␊
-      ! 2 noncompliant modules found␊
+      ! 1 noncompliant modules found␊
     ␊
       ! 1 used modules whitelisted␊
         |➔ Run \`ncm whitelist --list\` for a list␊
@@ -112,7 +110,6 @@ Generated by [AVA](https://avajs.dev).
       Module Name                               Risk         License                 Security␊
     ┌──────────────────────────────────────────┬────────────┬───────────────────────┬────────────────────┐␊
     │ left-pad @ 1.3.0 (0)                     │|||| Crit   │ X WTFPL               │ ✓ 0                │␊
-    │ ms @ 0.7.1 (0)                           │|||| Crit   │ X UNKNOWN             │ X 1L               │␊
     └──────────────────────────────────────────┴────────────┴───────────────────────┴────────────────────┘␊
     `
 
@@ -125,17 +122,17 @@ Generated by [AVA](https://avajs.dev).
     ║ mock-project Report ║␊
     ╚═════════════════════╝␊
     ␊
-    36 packages checked␊
+    4 packages checked␊
     ␊
       ! 0 critical risk␊
-        3 high risk␊
-        6 medium risk␊
-        13 low risk␊
+        1 high risk␊
+        3 medium risk␊
+        0 low risk␊
     ␊
-      ! 3 security vulnerabilities found across 3 modules␊
+      ! 2 security vulnerabilities found across 2 modules␊
         |➔ Run \`ncm report --filter=security\` for a list␊
     ␊
-      ! 2 noncompliant modules found␊
+      ! 1 noncompliant modules found␊
     ␊
       ! 1 used modules whitelisted␊
         |➔ Run \`ncm whitelist --list\` for a list␊
@@ -149,7 +146,6 @@ Generated by [AVA](https://avajs.dev).
       Module Name                               Risk         License                 Security␊
     ┌──────────────────────────────────────────┬────────────┬───────────────────────┬────────────────────┐␊
     │ left-pad @ 1.3.0 (0)                     │|||| Crit   │ X WTFPL               │ ✓ 0                │␊
-    │ ms @ 0.7.1 (0)                           │|||| Crit   │ X UNKNOWN             │ X 1L               │␊
     └──────────────────────────────────────────┴────────────┴───────────────────────┴────────────────────┘␊
     `
 
@@ -162,16 +158,16 @@ Generated by [AVA](https://avajs.dev).
     ║ mock-project Report ║␊
     ╚═════════════════════╝␊
     ␊
-    36 packages checked␊
+    4 packages checked␊
     ␊
       ! 0 critical risk␊
-        3 high risk␊
-        6 medium risk␊
-        13 low risk␊
+        1 high risk␊
+        3 medium risk␊
+        0 low risk␊
     ␊
-      ! 3 security vulnerabilities found across 3 modules␊
+      ! 2 security vulnerabilities found across 2 modules␊
     ␊
-      ! 2 noncompliant modules found␊
+      ! 1 noncompliant modules found␊
         |➔ Run \`ncm report --filter=compliance\` for a list␊
     ␊
       ! 1 used modules whitelisted␊
@@ -189,7 +185,6 @@ Generated by [AVA](https://avajs.dev).
     ------------------------------------------------------------------------------------------------------␊
       Module Name                               Risk         License                 Security␊
     ┌──────────────────────────────────────────┬────────────┬───────────────────────┬────────────────────┐␊
-    │ ms @ 0.7.1 (0)                           │|||| Crit   │ X UNKNOWN             │ X 1L               │␊
     │ handlebars @ 4.0.5 (0)                   │|||| Crit   │ ✓ MIT                 │ X 1H               │␊
     │ brace-expansion @ 1.1.2 (0)              │|||| Crit   │ ✓ MIT                 │ X 1M               │␊
     └──────────────────────────────────────────┴────────────┴───────────────────────┴────────────────────┘␊
@@ -204,16 +199,16 @@ Generated by [AVA](https://avajs.dev).
     ║ mock-project Report ║␊
     ╚═════════════════════╝␊
     ␊
-    36 packages checked␊
+    4 packages checked␊
     ␊
       ! 0 critical risk␊
-        3 high risk␊
-        6 medium risk␊
-        13 low risk␊
+        1 high risk␊
+        3 medium risk␊
+        0 low risk␊
     ␊
-      ! 3 security vulnerabilities found across 3 modules␊
+      ! 2 security vulnerabilities found across 2 modules␊
     ␊
-      ! 2 noncompliant modules found␊
+      ! 1 noncompliant modules found␊
         |➔ Run \`ncm report --filter=compliance\` for a list␊
     ␊
       ! 1 used modules whitelisted␊
@@ -231,7 +226,6 @@ Generated by [AVA](https://avajs.dev).
     ------------------------------------------------------------------------------------------------------␊
       Module Name                               Risk         License                 Security␊
     ┌──────────────────────────────────────────┬────────────┬───────────────────────┬────────────────────┐␊
-    │ ms @ 0.7.1 (0)                           │|||| Crit   │ X UNKNOWN             │ X 1L               │␊
     │ handlebars @ 4.0.5 (0)                   │|||| Crit   │ ✓ MIT                 │ X 1H               │␊
     │ brace-expansion @ 1.1.2 (0)              │|||| Crit   │ ✓ MIT                 │ X 1M               │␊
     └──────────────────────────────────────────┴────────────┴───────────────────────┴────────────────────┘␊
@@ -246,16 +240,16 @@ Generated by [AVA](https://avajs.dev).
     ║ mock-project Report ║␊
     ╚═════════════════════╝␊
     ␊
-    36 packages checked␊
+    4 packages checked␊
     ␊
       ! 0 critical risk␊
-        3 high risk␊
-        6 medium risk␊
-        13 low risk␊
+        1 high risk␊
+        3 medium risk␊
+        0 low risk␊
     ␊
-      ! 3 security vulnerabilities found across 3 modules␊
+      ! 2 security vulnerabilities found across 2 modules␊
     ␊
-      ! 2 noncompliant modules found␊
+      ! 1 noncompliant modules found␊
         |➔ Run \`ncm report --filter=compliance\` for a list␊
     ␊
       ! 1 used modules whitelisted␊
@@ -273,7 +267,6 @@ Generated by [AVA](https://avajs.dev).
     ------------------------------------------------------------------------------------------------------␊
       Module Name                               Risk         License                 Security␊
     ┌──────────────────────────────────────────┬────────────┬───────────────────────┬────────────────────┐␊
-    │ ms @ 0.7.1 (0)                           │|||| Crit   │ X UNKNOWN             │ X 1L               │␊
     │ handlebars @ 4.0.5 (0)                   │|||| Crit   │ ✓ MIT                 │ X 1H               │␊
     │ brace-expansion @ 1.1.2 (0)              │|||| Crit   │ ✓ MIT                 │ X 1M               │␊
     └──────────────────────────────────────────┴────────────┴───────────────────────┴────────────────────┘␊
@@ -288,16 +281,16 @@ Generated by [AVA](https://avajs.dev).
     ║ mock-project Report ║␊
     ╚═════════════════════╝␊
     ␊
-    36 packages checked␊
+    4 packages checked␊
     ␊
       ! 0 critical risk␊
-        3 high risk␊
-        6 medium risk␊
-        13 low risk␊
+        1 high risk␊
+        3 medium risk␊
+        0 low risk␊
     ␊
-      ! 3 security vulnerabilities found across 3 modules␊
+      ! 2 security vulnerabilities found across 2 modules␊
     ␊
-      ! 2 noncompliant modules found␊
+      ! 1 noncompliant modules found␊
         |➔ Run \`ncm report --filter=compliance\` for a list␊
     ␊
       ! 1 used modules whitelisted␊
@@ -324,17 +317,17 @@ Generated by [AVA](https://avajs.dev).
     ║ mock-project Report ║␊
     ╚═════════════════════╝␊
     ␊
-    36 packages checked␊
+    4 packages checked␊
     ␊
       ! 0 critical risk␊
-        3 high risk␊
-        6 medium risk␊
-        13 low risk␊
+        1 high risk␊
+        3 medium risk␊
+        0 low risk␊
     ␊
-      ! 3 security vulnerabilities found across 3 modules␊
+      ! 2 security vulnerabilities found across 2 modules␊
         |➔ Run \`ncm report --filter=security\` for a list␊
     ␊
-      ! 2 noncompliant modules found␊
+      ! 1 noncompliant modules found␊
         |➔ Run \`ncm report --filter=compliance\` for a list␊
     ␊
       ! 1 used modules whitelisted␊
@@ -361,17 +354,17 @@ Generated by [AVA](https://avajs.dev).
     ║ mock-project Report ║␊
     ╚═════════════════════╝␊
     ␊
-    36 packages checked␊
+    4 packages checked␊
     ␊
       ! 0 critical risk␊
-        3 high risk␊
-        6 medium risk␊
-        13 low risk␊
+        1 high risk␊
+        3 medium risk␊
+        0 low risk␊
     ␊
-      ! 3 security vulnerabilities found across 3 modules␊
+      ! 2 security vulnerabilities found across 2 modules␊
         |➔ Run \`ncm report --filter=security\` for a list␊
     ␊
-      ! 2 noncompliant modules found␊
+      ! 1 noncompliant modules found␊
         |➔ Run \`ncm report --filter=compliance\` for a list␊
     ␊
       ! 1 used modules whitelisted␊
@@ -398,16 +391,16 @@ Generated by [AVA](https://avajs.dev).
     ║ mock-project Report ║␊
     ╚═════════════════════╝␊
     ␊
-    36 packages checked␊
+    4 packages checked␊
     ␊
       ! 0 critical risk␊
-        3 high risk␊
-        6 medium risk␊
-        13 low risk␊
+        1 high risk␊
+        3 medium risk␊
+        0 low risk␊
     ␊
-      ! 3 security vulnerabilities found across 3 modules␊
+      ! 2 security vulnerabilities found across 2 modules␊
     ␊
-      ! 2 noncompliant modules found␊
+      ! 1 noncompliant modules found␊
         |➔ Run \`ncm report --filter=compliance\` for a list␊
     ␊
       ! 1 used modules whitelisted␊
@@ -434,16 +427,16 @@ Generated by [AVA](https://avajs.dev).
     ║ mock-project Report ║␊
     ╚═════════════════════╝␊
     ␊
-    36 packages checked␊
+    4 packages checked␊
     ␊
       ! 0 critical risk␊
-        3 high risk␊
-        6 medium risk␊
-        13 low risk␊
+        1 high risk␊
+        3 medium risk␊
+        0 low risk␊
     ␊
-      ! 3 security vulnerabilities found across 3 modules␊
+      ! 2 security vulnerabilities found across 2 modules␊
     ␊
-      ! 2 noncompliant modules found␊
+      ! 1 noncompliant modules found␊
         |➔ Run \`ncm report --filter=compliance\` for a list␊
     ␊
       ! 1 used modules whitelisted␊
@@ -471,16 +464,16 @@ Generated by [AVA](https://avajs.dev).
     ║ mock-project Report ║␊
     ╚═════════════════════╝␊
     ␊
-    36 packages checked␊
+    4 packages checked␊
     ␊
       ! 0 critical risk␊
-        3 high risk␊
-        6 medium risk␊
-        13 low risk␊
+        1 high risk␊
+        3 medium risk␊
+        0 low risk␊
     ␊
-      ! 3 security vulnerabilities found across 3 modules␊
+      ! 2 security vulnerabilities found across 2 modules␊
     ␊
-      ! 2 noncompliant modules found␊
+      ! 1 noncompliant modules found␊
         |➔ Run \`ncm report --filter=compliance\` for a list␊
     ␊
       ! 1 used modules whitelisted␊
@@ -508,16 +501,16 @@ Generated by [AVA](https://avajs.dev).
     ║ mock-project Report ║␊
     ╚═════════════════════╝␊
     ␊
-    36 packages checked␊
+    4 packages checked␊
     ␊
       ! 0 critical risk␊
-        3 high risk␊
-        6 medium risk␊
-        13 low risk␊
+        1 high risk␊
+        3 medium risk␊
+        0 low risk␊
     ␊
-      ! 3 security vulnerabilities found across 3 modules␊
+      ! 2 security vulnerabilities found across 2 modules␊
     ␊
-      ! 2 noncompliant modules found␊
+      ! 1 noncompliant modules found␊
         |➔ Run \`ncm report --filter=compliance\` for a list␊
     ␊
       ! 1 used modules whitelisted␊
@@ -535,7 +528,6 @@ Generated by [AVA](https://avajs.dev).
     ------------------------------------------------------------------------------------------------------␊
       Module Name                               Risk         License                 Security␊
     ┌──────────────────────────────────────────┬────────────┬───────────────────────┬────────────────────┐␊
-    │ ms @ 0.7.1 (0)                           │|||| Crit   │ X UNKNOWN             │ X 1L               │␊
     │ handlebars @ 4.0.5 (0)                   │|||| Crit   │ ✓ MIT                 │ X 1H               │␊
     │ brace-expansion @ 1.1.2 (0)              │|||| Crit   │ ✓ MIT                 │ X 1M               │␊
     └──────────────────────────────────────────┴────────────┴───────────────────────┴────────────────────┘␊
@@ -550,16 +542,16 @@ Generated by [AVA](https://avajs.dev).
     ║ mock-project Report ║␊
     ╚═════════════════════╝␊
     ␊
-    36 packages checked␊
+    4 packages checked␊
     ␊
       ! 0 critical risk␊
-        3 high risk␊
-        6 medium risk␊
-        13 low risk␊
+        1 high risk␊
+        3 medium risk␊
+        0 low risk␊
     ␊
-      ! 3 security vulnerabilities found across 3 modules␊
+      ! 2 security vulnerabilities found across 2 modules␊
     ␊
-      ! 2 noncompliant modules found␊
+      ! 1 noncompliant modules found␊
         |➔ Run \`ncm report --filter=compliance\` for a list␊
     ␊
       ! 1 used modules whitelisted␊
@@ -577,7 +569,6 @@ Generated by [AVA](https://avajs.dev).
     ------------------------------------------------------------------------------------------------------␊
       Module Name                               Risk         License                 Security␊
     ┌──────────────────────────────────────────┬────────────┬───────────────────────┬────────────────────┐␊
-    │ ms @ 0.7.1 (0)                           │|||| Crit   │ X UNKNOWN             │ X 1L               │␊
     │ handlebars @ 4.0.5 (0)                   │|||| Crit   │ ✓ MIT                 │ X 1H               │␊
     │ brace-expansion @ 1.1.2 (0)              │|||| Crit   │ ✓ MIT                 │ X 1M               │␊
     └──────────────────────────────────────────┴────────────┴───────────────────────┴────────────────────┘␊
@@ -592,17 +583,17 @@ Generated by [AVA](https://avajs.dev).
     ║ mock-project Report ║␊
     ╚═════════════════════╝␊
     ␊
-    36 packages checked␊
+    4 packages checked␊
     ␊
       ! 0 critical risk␊
-        3 high risk␊
-        6 medium risk␊
-        13 low risk␊
+        1 high risk␊
+        3 medium risk␊
+        0 low risk␊
     ␊
-      ! 3 security vulnerabilities found across 3 modules␊
+      ! 2 security vulnerabilities found across 2 modules␊
         |➔ Run \`ncm report --filter=security\` for a list␊
     ␊
-      ! 2 noncompliant modules found␊
+      ! 1 noncompliant modules found␊
         |➔ Run \`ncm report --filter=compliance\` for a list␊
     ␊
     ──────────────────────────────────────────────────────────────────────────────────────────────────────␊
@@ -618,41 +609,9 @@ Generated by [AVA](https://avajs.dev).
       Module Name                               Risk         License                 Security␊
     ┌──────────────────────────────────────────┬────────────┬───────────────────────┬────────────────────┐␊
     │ left-pad @ 1.3.0 (0)                     │|||| Crit   │ X WTFPL               │ ✓ 0                │␊
-    │ ms @ 0.7.1 (0)                           │|||| Crit   │ X UNKNOWN             │ X 1L               │␊
     │ handlebars @ 4.0.5 (0)                   │|||| Crit   │ ✓ MIT                 │ X 1H               │␊
-    │ uglify-js @ 2.8.29 (0)                   │|||| Crit   │ ✓ BSD-2-Clause        │ ✓ 0                │␊
     │ brace-expansion @ 1.1.2 (0)              │|||| Crit   │ ✓ MIT                 │ X 1M               │␊
     │ chalk @ 2.4.2 (0)                        │|||| Crit   │ ✓ MIT                 │ ✓ 0                │␊
-    │ minimist @ 0.0.10 (0)                    │|||| Crit   │ ✓ MIT                 │ ✓ 0                │␊
-    │ source-map @ 0.5.7 (0)                   │|||| Crit   │ ✓ BSD-3-Clause        │ ✓ 0                │␊
-    │ yargs @ 3.10.0 (0)                       │|||| Crit   │ ✓ MIT                 │ ✓ 0                │␊
-    │ amdefine @ 1.0.1 (60)                    │|||| Low    │ ✓ BSD-3-Clause OR MIT │ ✓ 0                │␊
-    │ async @ 1.5.2 (60)                       │|||| Low    │ ✓ MIT                 │ ✓ 0                │␊
-    │ balanced-match @ 0.3.0 (60)              │|||| Low    │ ✓ MIT                 │ ✓ 0                │␊
-    │ cliui @ 2.1.0 (60)                       │|||| Low    │ ✓ ISC                 │ ✓ 0                │␊
-    │ color-convert @ 1.9.3 (60)               │|||| Low    │ ✓ MIT                 │ ✓ 0                │␊
-    │ concat-map @ 0.0.1 (60)                  │|||| Low    │ ✓ MIT                 │ ✓ 0                │␊
-    │ is-buffer @ 1.1.6 (60)                   │|||| Low    │ ✓ MIT                 │ ✓ 0                │␊
-    │ kind-of @ 3.2.2 (60)                     │|||| Low    │ ✓ MIT                 │ ✓ 0                │␊
-    │ optimist @ 0.6.1 (60)                    │|||| Low    │ ✓ MIT                 │ ✓ 0                │␊
-    │ source-map @ 0.4.4 (60)                  │|||| Low    │ ✓ BSD-3-Clause        │ ✓ 0                │␊
-    │ window-size @ 0.1.0 (60)                 │|||| Low    │ ✓ MIT                 │ ✓ 0                │␊
-    │ wordwrap @ 0.0.2 (60)                    │|||| Low    │ ✓ MIT                 │ ✓ 0                │␊
-    │ wordwrap @ 0.0.3 (60)                    │|||| Low    │ ✓ MIT                 │ ✓ 0                │␊
-    │ align-text @ 0.1.4 (100)                 │|||| None   │ ✓ MIT                 │ ✓ 0                │␊
-    │ ansi-styles @ 3.2.1 (100)                │|||| None   │ ✓ MIT                 │ ✓ 0                │␊
-    │ camelcase @ 1.2.1 (100)                  │|||| None   │ ✓ MIT                 │ ✓ 0                │␊
-    │ center-align @ 0.1.3 (100)               │|||| None   │ ✓ MIT                 │ ✓ 0                │␊
-    │ color-name @ 1.1.3 (100)                 │|||| None   │ ✓ MIT                 │ ✓ 0                │␊
-    │ decamelize @ 1.2.0 (100)                 │|||| None   │ ✓ MIT                 │ ✓ 0                │␊
-    │ escape-string-regexp @ 1.0.5 (100)       │|||| None   │ ✓ MIT                 │ ✓ 0                │␊
-    │ has-flag @ 3.0.0 (100)                   │|||| None   │ ✓ MIT                 │ ✓ 0                │␊
-    │ lazy-cache @ 1.0.4 (100)                 │|||| None   │ ✓ MIT                 │ ✓ 0                │␊
-    │ longest @ 1.0.1 (100)                    │|||| None   │ ✓ MIT                 │ ✓ 0                │␊
-    │ repeat-string @ 1.6.1 (100)              │|||| None   │ ✓ MIT                 │ ✓ 0                │␊
-    │ right-align @ 0.1.3 (100)                │|||| None   │ ✓ MIT                 │ ✓ 0                │␊
-    │ supports-color @ 5.5.0 (100)             │|||| None   │ ✓ MIT                 │ ✓ 0                │␊
-    │ uglify-to-browserify @ 1.0.2 (100)       │|||| None   │ ✓ MIT                 │ ✓ 0                │␊
     └──────────────────────────────────────────┴────────────┴───────────────────────┴────────────────────┘␊
     `
 
@@ -665,7 +624,7 @@ Generated by [AVA](https://avajs.dev).
     ║ poisoned-project Report ║␊
     ╚═════════════════════════╝␊
     ␊
-    3 packages checked␊
+    2 packages checked␊
     ␊
       ! 0 critical risk␊
         0 high risk␊
@@ -683,7 +642,6 @@ Generated by [AVA](https://avajs.dev).
       Module Name                               Risk         License                 Security␊
     ┌──────────────────────────────────────────┬────────────┬───────────────────────┬────────────────────┐␊
     │ left-pad @ 1.3.0 (0)                     │|||| Crit   │ X WTFPL               │ ✓ 0                │␊
-    │ is-path-inside @ 2.1.0 (100)             │|||| None   │ ✓ MIT                 │ ✓ 0                │␊
-    │ path-is-inside @ 1.0.2 (100)             │|||| None   │ ✓ (WTFPL OR MIT)      │ ✓ 0                │␊
+    │ is-path-in-cwd @ 0.0.0                   │            │                       │                    │␊
     └──────────────────────────────────────────┴────────────┴───────────────────────┴────────────────────┘␊
     `
diff --git a/tap-snapshots/test/report.js.snap b/tap-snapshots/test/report.js.snap
index f4ea7b59fb05c1c5a967f7b5ae80eea5e37d1d80..5eac0481cf07827cf2f83a0b698d52ff9b6b6d89 100644
GIT binary patch
literal 1932
zcmV;72XpvARzV<BZeeh9Xm4~Nb~6eC09W+o@!bG8obN1XWX^1L<E?vc?x5_*B(YLM
z>jK@Gl^=@;00000000B+oKJ7uL>R^c2q7hHQKTNK2EkN7)k^hZ?<P&cs!}DOq*79<
z5)@D`b?ixO)_+#Ew+T`Xz?nlUQc)p5qGyhL3Jx5RIB<!?fp5SO?b_b1W6#FkoypqE
zV?9!;?0DYUcPIP4zo)i;-r2TXt>r&{Mgudj=>F>-ZM$AT+)mK$1jJSY&7eN<9kuNn
zZeYg$@V|Pd>uR8WcJ9VYGq22aj~8B^nSZf%Zg$~*W2ISdDvjl)a$RXEOUw4rlf$DY
zkH*t?3-=qVcJ}O#d#{m&`;BGWcD0t&_T0~@7La?rchi5Bb!PUg-;cfKAH&&a7qf!5
zRjsA&QlDrB)ml`K#*%n!eQBw=dcApl(Y{3F@GWSb8JL=C5zq8nvxFqZDvj0dU?m)C
zn7c;yu$4x$v0^vEVK&vxj-47fxXviH<?e;UGFKRmsS}@S9nTEDAP+m1Lp^odw9LSy
zKG|_Qj!sm~bA6xGiS6ngi~5O}a=lrX7n{n;vVCy$(;>OnamWKlvq`ikC27aB0_xp}
zgFGNRu18d2nSL-Nd*Rv?;<%3H+HK2JogiL7xUSKb5l^PklNJ)?yuXr;Pxbx^_6#$i
z-7{&<b@WdllGOc?5j|@^AASiH67#EpkWIHumfj_6=B`2gfZQ|v7TE|tPv%+DsT@NV
z9WIdEQEf_wAHDYzAM2(@9Y1}_$I)LQ`y2G|n@N9$zi=HUdY(r^Qu%fCElhU;sjced
zCQ)jQnw<W+yCPo=hh`l^rcO<CaBy(Iteo$8W)O!Nw%*jNpN7BR+PrmlJ^$k3*H-0b
zU6z|lUAB*Y_%?h=F7PIY=GIUh-J;v7=aZXcu_o7+3T1avxy{PS#_i1_>tlXQ8STYd
z*83kd<=dXBQHk!iRmV47r?;z>T0L*xr#<Ci+n{XlOu1&LR*T#u_1a?oL{C-9#e9hz
zPP*3p%5|9Nd7g%;q?Wo(Ejw(jrI0#f7QNVSxSx005tybqbnedthyFGP4h4r+jzfWs
z)z=UL+j{<)kz2hzMD>^($(0Oa;c8iFa^hL8oQ7<RJFX+`P0iMT(J=Nf(euD)03&c1
zCVHL(BkW&DK*9hMM7+?B+cOQ207w8N01`?pKmt^3TL2OO2|~iL1V{iRa2O_fo??)&
ze~En+53m8)0Bis@lvuz9sMxjuHUJxhgkuTV0BqneO!PbjvEf3$KkIjYELxcVD?tmt
z&w~~~3;AgQx3GX0xM_S|h_^3VLbQaVDo0DG)9ub~@2d2A;eK#Bu1aU!2rzh#vYwR%
zw2ETqc?ze3oA@{tC`u?wr%;q|Lm+MlELY08-Vlg3ppX)d(Zi%+6c?o9m!kS`iQp2!
zC4x&-YQZH+9B9aehGPjX5nQ5#D%l>QAaM{}A{3?54aX8(BDh4AOF3L3@!?o1;1cb>
z!Mf-ht`S@#xJGb|N-elXi31I~&~PllHG*rDP$k<%6eJFUYlNb7y5U%YYXsM*aw&&v
zBt9HVMO>rH$3eSiKIFJDZSLQMdGrq+V*&FB<`K-JNr<0$bZzbShij#6)+e6m%84(<
zm3wyp<;ET+dLE!$sZb7FQAo+BTr4EPqT6?-=wcz0E?7u$W+{Obm(KtxfE1N`G9Cy8
zN@;vTDRt{P@%&a!e88mCn*uyC_At@&fJeY1gPL|8xsc)!zzARjFaj9)KM61b<=qf~
z5x@xNa4Z2v03(B%b{Kgp>pw@X;le9`2`;<>NmN3(@CqutGjQP**g{k|mcSNZi$P60
zTU<HbiA8N^jvG79x(U8`a29+4z5ri<FD4+4e6jJt`?o*YC~Xfp@l;n%oC%}k`vZ(I
z_At@&fH6wN7`RVAPs(whzW8t~C9&>e66<WLr>O4D6x9Lf0CWI409{oCpo2!(8vr^0
zow#r;0q6j9l}kB*PJB3)3IpBS$NS%I3!ek&=KoG0-5+>zKadVc2c(;XI3nHpM_cIE
z(XWpxJiUL6=5g>GJiT9JIF|7AetzQYC802(FpVJ?NidQsmvR_M;={2t{*?h1Y$Vu7
zu#sRRRYkCoQU|(qq2XA9jRYGhp-T3SC`udz8wrJ}QiTaN5^SV$r5rYr_;4(ZaXpgd
zI=hi?L~J$C4C<5EKS~=(=if;fN#s0?Bp69}STdS$9?IzqMSVB=YxLJ63dRqNpM)ye
z?V;vyPyyoybq954ywh{k9gFS+Qd`w~?n0w*>6ujBNfnE&&0BZZix-`&`Xv{5lkm*o
znN=v|Ts^ZWu4brKtJk?M=1=rgrCiLH2%6MFN?4L!*JYFvwq)!?z83i`duCvewrl#X
zLv<24dT9f4_SJ*|Ig@R@a4;Z8F(c#Um&K6GGAHX<3lU^a%K6Mmg@ZYn^*4XVJ;9)a
zfjC_{k&OUvfVWWvc$+A^nZDFk14A+$N!#mYSgy&n)a)lLwD_>m&p?AIcAjI;${*}7
S`+Zp0YW@d&H@0f8`Tzh7$e~~W

literal 2635
zcmV-R3bge>RzV<BZeeh9Xm4~Nb~6eC0Hie<3koOpY0kvkA!Pzv^(&57f6!kZq@>v@
zp6_0`ydR4Q00000000B+olS4s$Q{PhE{X!l28$w>U|qDceS-rm1yZtPdxZs(O`682
z?F2~{-XfQ!$dNQL-^!sPd*MUda}T?y7hM!>f!%WtJ@k9@8}yKCzd=uhNJ<thlF>+{
zHPk-D18lGwap=e6ng8z*Ir_TWv0USrfAI|sSYXkUANkaC{eZZGz#9a_)&rwYIpL1(
z@xB|d@jv+QzcEcc(0}vJKi|6c{cEG+JKwwZgYSO*&h?EKjh%MAtu?mWT1#td&29Vj
zm*=m){Cqk6dE-T6*G@nC7vXDU<3(fJwq4^`@qG6sH3IT9{AnhyX1z20tbbYhn*SD^
z{d%L7*1M-0$9j))V)UtTOwG748Mm!Bo9*3JyR~J%N7U$NFnks;L$`>}`0;f@5^c4{
z?x=AiYT9SLetNT=M!T_Nx1we?HQB(PX*hkIT6{*!9Y*a^FEMJ<Ae<Tlp9QDn)xdJ7
zuXmWm0!BIMx&y}~y5YN=lLoO}b6`=P=v1w@>*`ip+u63yUjO}^JRLaXQ^&ALJSr8X
z%dCL<AC5culyqI6=)__?$gwZFwmNZK$8c@WV!9KIFCe<E#V%ufGK0S9LSob7E78b+
zQ*&|!!#)e>=$&-V>zKTOD9Y$RDZQtS==0w}Ldu*R2zl;$r1=4P#Cm<o1M-ydV{#Dv
zJ~Q8?T*;Ah(a{BxL*1q%{|JAc@v+Yg>hRgOJd6Jdv**zBKd$<B_>V%Hm3^MibFBPB
zJPXrqpm@4T?h>umsHwBl-KKgcYMOTBoO<R&XJ=<;nQP~Lp9SM?@~(I0te-^x|LFO{
zC;RhX-1xO!wOv=$wpLf|*MI#}^pYy@L*{yGb8?rcwe6ZF=&EGieth`r!^cO5qTbG&
zC#@LRPjg{W!~42pTC}74BjdMfYON_`{HhF38-xdY&qc29O`cB`blRgLEg$qO);(2T
zjvTMoc53zA%3A)>vj<9Dxo_!%i^XZxQ%J|x4XV%+Pj@(Top6@cYV~<NmdV~SMs!pL
zYX^ml=<`(<7yl}>S=s0LDzcJVdWTwe#4<_*`eXcmcS1N9XcK1vv*>?wKY{)q-URvs
z{VRz6Aoc1i2YQb#erM!iIEJV>Ms>28lI7fy72sFya^;jWEDl{q8LrLHK(@1Vv$D^F
zYzNuSw<6mCmI*0=Whb{2TsDPaF`{|nde{J$fy=;U;4-NNE`!8|1-L9cz-2{umnCo+
zxC~r&6<TL5J9#hr=0K1dNDZV0Qj=OBHArk&fYibRq*ioySpunn)Ie%ip|vKp+mnKL
zQf_Af+N~!EK)ZJffCfMl0W>_02t+GP%Ol!&_@W9&6~3tEsKQO!8T7*Ei|WE9_<BDC
zgJSWjy35j62!{$&G2svvB`iu;uqYwEz{A~=Q~{+u+>NJ?@$~V6&B{JcBBXnj%;?4y
zz~y_~If6L^a|q@T%t<Z;bBO~CRBCrwLNF&62BAO{5`wwngkTPf($#jCB?NO4tw;#w
z5X?zwIfA+JyUUV5Fn99ftY=9O)FG%tP=}ySav`Wo9AKhSyUP-SI=Qe21*4D<)D<TL
zby$?Hw!17LsFP?#LQsdGPD;xW)Ro^|mPCTOUtCT$!nkLSCth#-FOk>%_XhGh<aNmF
zkk_q5#pQMHKid1%BWd|)<wjRd#e%ckqXYE3bhEP0GY35b=B^IrKo&wuZlJS~M2k`3
zIl~tlseF+I6>o1RpkniFKn0+pg8Q6;QJ@(u&nQwCpDXvbaw-N*q#hI?lBJuKeI5`A
zh-6ypP9(Qyhy*wS90861N4{MGjzIGc2;c~Cq~Pwd1RMd5Ol#e7<Y#Fgki3uEuYe}F
z{R%8m5#jbLNO)x6_AAguS>0s`bOE}U*1FTh=H*H(t~=*=z~km`6NJ&hcTR&aKo}s5
z)u=$iIQZp*y^jy1ts+-$b>&nrV@N(eKp9InEBid445=ssPwdZQIiA=rzq>3Y!S3B8
z*xA&a;kuvBa2=2iNC%_?(p5)5I%t8h0i*-cmDgRCfOJ5*%2^JiE5Exe2_xOlFW0}L
z5`GS-yY)!|>h|!(34l649iVPCDiG@SA0MG&N5#IV@Z||hl#hwk2Vb60Vs}}>mnRgb
zg3}}{Ojwwf5WYY`qE!jm9kM$qEk|}&es@_~{&oxt$sLkABzH*esv{(KGY0^v)b6r`
z<W4R|LiH#lBzMIL$sHD^N-a!C?vUI`QVAfrLvpvgDp`9ia@U>ZI=wimBeotGeagu=
zvYXBB?rDka?kD$<-66Zf*5C-^iqV{5T#PzE8X(PrLe?f1)u7%J60)}9B#^aX-NCxE
z+}r0^cP!cs6i+w9e4!z{^hgt>9X)^eWM6#INn5{Efgchvr4$P~V#-y;l!Kndx~IxZ
z9@efqwfb&lE&u4*1EsFqxAeiq;<V~11S#;<rND8&Mqjs%!_mAoztL-DdAW-sbC^B4
z(QLFdsx?ip;()#R_HuXN8&t7%FEqGW+phF{+>mTOKGpr+XsK(|G<AWTMkae@9KE`2
z(k^poxX!7`x;dWgH(N{14%084O~0_+YVYi{cXsVO+xOieDRNXlej5H7R&F~#b&SyS
zW^&1!$Mb5~F5_tL=+@}t9a9NE2@U7#O9Y<pKWtyDz_ZwZg$14_;&zp6-+OjnKHFW(
z^%cW)UQs^?C!5_`L%{wD*e>O0cO63yCIzAJq6*s=vYm0IGw61yA0vB9aH4_j3)z0m
z98+<-VTE2_pq7E{3)${^!3ET}*0OGw(e_KQzg62>ySZJ)5Man0(;X_DeMUpyMa#$v
z*e>H}AG*Fd^e1(U@Z=8Li?Cg!WQXlbWHJ`(IZ8lJf_RSEO6hh}Qx~6Prrk~2J9*{M
zb?7>J>u{#<;B<6{Zd561LgvET9NyGzY8g6@GF(w-;cc$B)Cs7sgi}L2D>Ovxg||80
zhVhg$x|b~?b|GisZC)QH4QGX@Ue>1XaE7<bdP}*XdsN|p&zzp((;hwX;*Zao^SBIe
zv-{}lT<KbRFDw#N(NPO;^ZKy#&rTIXH~Qlbdr{vO=dJ7XC=V`wiazhKg||6<_|&6%
z5YM-v!!03);cbq$tk(|~FK^*(P9J>Wjh-*%N?7QUyQEobimYhxHoK4bCg{LbI=(yP
z)Mwq(c=D~!<1oBUc?}Qg2`RBDgFmVOl*Gmi<GmPu7(Zt|WI>;JF5|94O%m^EFuMiA
zjsGOJVEFfqvbJDYWIKlO<;$`qL+bVnX%|w`?hJ9$H|@@#Ma|~eok1PflQWw$r2Wkw
zx^LK^A#Vc(4I3y_PMLp91P`yyjxIdBDkMC-y3(4KamCYvzQP>NOnUitS@6O#-bTjq
t3vcHp1-ZQ4j0SG>6vLerdkbC=QgRcwjcH(*l+_VA{2x`ntjd=*0RX4qFGT<V

diff --git a/test/report.js b/test/report.js
index 02a48d9..6232d17 100644
--- a/test/report.js
+++ b/test/report.js
@@ -12,11 +12,11 @@ NCMTestRunner.createTest('report output matches snapshot', (runner, t) => {
       t.is(stderr, '')
       t.snapshot(stdout, 'report-output')
       t.regex(stdout, /mock-project Report/)
-      t.regex(stdout, /36 .+packages checked/)
+      t.regex(stdout, /4 .+packages checked/)
       t.regex(stdout, /handlebars @ 4.0.5/)
       t.notRegex(stdout, /has-flag @ 3.0.0/)
-      t.regex(stdout, /2 noncompliant modules found/)
-      t.regex(stdout, /3 security vulnerabilities found/)
+      t.regex(stdout, /1 noncompliant modules found/)
+      t.regex(stdout, /2 security vulnerabilities found/)
       resolve()
     })
   })
@@ -31,12 +31,12 @@ NCMTestRunner.createTest('report --compliance output', (runner, t) => {
         t.snapshot(stdout, 'report-output-compliance')
 
         const out = stdout.toString()
-        t.regex(out, /2 noncompliant modules found/)
+        t.regex(out, /1 noncompliant modules found/)
         t.regex(out, /left-pad @ 1.3.0/)
-        t.regex(out, /ms @ 0.7.1/)
+        t.notRegex(out, /ms @ 0.7.1/)
         t.regex(out, /WTFPL/)
-        t.regex(out, /UNKNOWN/)
-        t.regex(out, /3 security vulnerabilities found/)
+        t.notRegex(out, /UNKNOWN/)
+        t.regex(out, /2 security vulnerabilities found/)
         resolve()
       })
   })
@@ -50,10 +50,10 @@ NCMTestRunner.createTest('report -c output', (runner, t) => {
       t.snapshot(stdout, 'report-output-compliance')
 
       const out = stdout.toString()
-      t.regex(out, /2 noncompliant modules found/)
+      t.regex(out, /1 noncompliant modules found/)
       t.regex(out, /left-pad @ 1.3.0/)
       t.regex(out, /WTFPL/)
-      t.regex(out, /3 security vulnerabilities found/)
+      t.regex(out, /2 security vulnerabilities found/)
       resolve()
     })
   })
@@ -68,12 +68,12 @@ NCMTestRunner.createTest('report --filter=compliance output', (runner, t) => {
       t.snapshot(stdout, 'report-output-compliance')
 
       const out = stdout.toString()
-      t.regex(out, /2 noncompliant modules found/)
+      t.regex(out, /1 noncompliant modules found/)
       t.regex(out, /left-pad @ 1.3.0/)
-      t.regex(out, /ms @ 0.7.1/)
+      t.notRegex(out, /ms @ 0.7.1/)
       t.regex(out, /WTFPL/)
-      t.regex(out, /UNKNOWN/)
-      t.regex(out, /3 security vulnerabilities found/)
+      t.notRegex(out, /UNKNOWN/)
+      t.regex(out, /2 security vulnerabilities found/)
       resolve()
     })
   })
@@ -87,10 +87,10 @@ NCMTestRunner.createTest('report --security output', (runner, t) => {
       t.snapshot(stdout, 'report-output-security')
 
       const out = stdout.toString()
-      t.regex(out, /2 noncompliant modules found/)
-      t.regex(out, /3 security vulnerabilities found/)
+      t.regex(out, /1 noncompliant modules found/)
+      t.regex(out, /2 security vulnerabilities found/)
       t.regex(out, /handlebars @ 4.0.5/)
-      t.regex(out, /ms @ 0.7.1/)
+      t.notRegex(out, /ms @ 0.7.1/)
       t.regex(out, /brace-expansion @ 1.1.2/)
       t.regex(out, /debug @ 2.2.0/)
       t.regex(out, /1H/)
@@ -109,8 +109,8 @@ NCMTestRunner.createTest('report -s output', (runner, t) => {
       t.snapshot(stdout, 'report-output-security')
 
       const out = stdout.toString()
-      t.regex(out, /2 noncompliant modules found/)
-      t.regex(out, /3 security vulnerabilities found/)
+      t.regex(out, /1 noncompliant modules found/)
+      t.regex(out, /2 security vulnerabilities found/)
       t.regex(out, /handlebars @ 4.0.5/)
       t.regex(out, /1H/)
       resolve()
@@ -126,10 +126,10 @@ NCMTestRunner.createTest('report --filter=security output', (runner, t) => {
       t.snapshot(stdout, 'report-output-security')
 
       const out = stdout.toString()
-      t.regex(out, /2 noncompliant modules found/)
-      t.regex(out, /3 security vulnerabilities found/)
+      t.regex(out, /1 noncompliant modules found/)
+      t.regex(out, /2 security vulnerabilities found/)
       t.regex(out, /handlebars @ 4.0.5/)
-      t.regex(out, /ms @ 0.7.1/)
+      t.notRegex(out, /ms @ 0.7.1/)
       t.regex(out, /brace-expansion @ 1.1.2/)
       t.regex(out, /debug @ 2.2.0/)
       t.regex(out, /1H/)
@@ -149,8 +149,8 @@ NCMTestRunner.createTest('report --filter=high --security output', (runner, t) =
       t.snapshot(stdout, 'report-output-high-security')
 
       const out = stdout.toString()
-      t.regex(out, /2 noncompliant modules found/)
-      t.regex(out, /3 security vulnerabilities found/)
+      t.regex(out, /1 noncompliant modules found/)
+      t.regex(out, /2 security vulnerabilities found/)
       t.regex(out, /handlebars @ 4.0.5/)
       t.notRegex(out, /ms @ 0.7.1/)
       t.notRegex(out, /brace-expansion @ 1.1.2/)
@@ -172,8 +172,8 @@ NCMTestRunner.createTest('report --filter=high output', (runner, t) => {
       t.snapshot(stdout, 'report-output-high-security')
 
       const out = stdout.toString()
-      t.regex(out, /2 noncompliant modules found/)
-      t.regex(out, /3 security vulnerabilities found/)
+      t.regex(out, /1 noncompliant modules found/)
+      t.regex(out, /2 security vulnerabilities found/)
       t.regex(out, /handlebars @ 4.0.5/)
       t.notRegex(out, /ms @ 0.7.1/)
       t.notRegex(out, /brace-expansion @ 1.1.2/)
@@ -195,8 +195,8 @@ NCMTestRunner.createTest('report --filter=h output', (runner, t) => {
       t.snapshot(stdout, 'report-output-high-security')
 
       const out = stdout.toString()
-      t.regex(out, /2 noncompliant modules found/)
-      t.regex(out, /3 security vulnerabilities found/)
+      t.regex(out, /1 noncompliant modules found/)
+      t.regex(out, /2 security vulnerabilities found/)
       t.regex(out, /handlebars @ 4.0.5/)
       t.notRegex(out, /ms @ 0.7.1/)
       t.notRegex(out, /brace-expansion @ 1.1.2/)
@@ -218,8 +218,8 @@ NCMTestRunner.createTest('report --filter=high,security output', (runner, t) =>
       t.snapshot(stdout, 'report-output-high-security')
 
       const out = stdout.toString()
-      t.regex(out, /2 noncompliant modules found/)
-      t.regex(out, /3 security vulnerabilities found/)
+      t.regex(out, /1 noncompliant modules found/)
+      t.regex(out, /2 security vulnerabilities found/)
       t.regex(out, /handlebars @ 4.0.5/)
       t.notRegex(out, /ms @ 0.7.1/)
       t.notRegex(out, /brace-expansion @ 1.1.2/)
@@ -241,8 +241,8 @@ NCMTestRunner.createTest('report --filter=medium --security output', (runner, t)
       t.snapshot(stdout, 'report-output-med-security')
 
       const out = stdout.toString()
-      t.regex(out, /2 noncompliant modules found/)
-      t.regex(out, /3 security vulnerabilities found/)
+      t.regex(out, /1 noncompliant modules found/)
+      t.regex(out, /2 security vulnerabilities found/)
       t.regex(out, /handlebars @ 4.0.5/)
       t.notRegex(out, /ms @ 0.7.1/)
       t.regex(out, /brace-expansion @ 1.1.2/)
@@ -264,8 +264,8 @@ NCMTestRunner.createTest('report --filter=m --security output', (runner, t) => {
       t.snapshot(stdout, 'report-output-med-security')
 
       const out = stdout.toString()
-      t.regex(out, /2 noncompliant modules found/)
-      t.regex(out, /3 security vulnerabilities found/)
+      t.regex(out, /1 noncompliant modules found/)
+      t.regex(out, /2 security vulnerabilities found/)
       t.regex(out, /handlebars @ 4.0.5/)
       t.notRegex(out, /ms @ 0.7.1/)
       t.regex(out, /brace-expansion @ 1.1.2/)
@@ -287,10 +287,10 @@ NCMTestRunner.createTest('report --filter=low --security output', (runner, t) =>
       t.snapshot(stdout, 'report-output-med-security')
 
       const out = stdout.toString()
-      t.regex(out, /2 noncompliant modules found/)
-      t.regex(out, /3 security vulnerabilities found/)
+      t.regex(out, /1 noncompliant modules found/)
+      t.regex(out, /2 security vulnerabilities found/)
       t.regex(out, /handlebars @ 4.0.5/)
-      t.regex(out, /ms @ 0.7.1/)
+      t.notRegex(out, /ms @ 0.7.1/)
       t.regex(out, /brace-expansion @ 1.1.2/)
       t.regex(out, /debug @ 2.2.0/)
       t.regex(out, /1H/)
@@ -310,10 +310,10 @@ NCMTestRunner.createTest('report --filter=l --security output', (runner, t) => {
       t.snapshot(stdout, 'report-output-med-security')
 
       const out = stdout.toString()
-      t.regex(out, /2 noncompliant modules found/)
-      t.regex(out, /3 security vulnerabilities found/)
+      t.regex(out, /1 noncompliant modules found/)
+      t.regex(out, /2 security vulnerabilities found/)
       t.regex(out, /handlebars @ 4.0.5/)
-      t.regex(out, /ms @ 0.7.1/)
+      t.notRegex(out, /ms @ 0.7.1/)
       t.regex(out, /brace-expansion @ 1.1.2/)
       t.regex(out, /debug @ 2.2.0/)
       t.regex(out, /1H/)
@@ -331,7 +331,7 @@ NCMTestRunner.createTest('report --long output matches snapshot', (runner, t) =>
       t.is(stderr, '')
       t.snapshot(stdout, 'long-report-output')
       t.regex(stdout, /mock-project Report/)
-      t.regex(stdout, /has-flag @ 3.0.0/)
+      t.regex(stdout, /chalk @ 2.4.2/)
       resolve()
     })
   })