[Feature request] Ignore whole CWE category in development packages #353
Description
Currently npm audit is a great way to see if there are any important security issues that need patching in your codebase. This works well for production code and I use it extensively, however for development packages audit has always felt quite broken.
I think that part of the reason for this is that a large number of CVE issues have no real security issue in the context of development code used to build and check the solution.
For example any Denial of Service attack on development packages is largely irrelevant because of the context that this code is run in (eg developer machines and CI pipelines), and the fact that the data which development packages act on is normally from fully or partially trusted sources.
I think it would be useful to be able to ignore not only specific CVE issues, but also entire classes of CWE in the context of development packages. A great example of this is CWE-1333 which is the root of Regex Denial of Service CVE issues such as GHSA-5pgg-2g8v-p4x9. If this packaged is used in development there is unlikely any issue as the input is constrained to csv's which are in source or trusted context, however if this is used in production, its likely to do with user input and as a result requires fixing.