Track Potential Adoption of NPM Audit Resolve / Counterclaim / Assertions

[achrinza]

There's discussion in the Node.js ecosystem to create a standard file format to allow Node.js module authors to write a "counterclaim" against a vulnerability with one of its direct or nested dependency.

• New RFC

  • RFC and DX: RFC: audit assertions npm/rfcs#422
  • File format: add draft Audit File RFC and schema openjs-foundation/pkg-vuln-collab-space#11

• Old RFC

  • Discussion: Suggest ignoring a vulnerability by the package maintainer nodejs/package-maintenance#386
  • RFC and file format: npm audit and audit-resolve.json npm/rfcs#18

• Other discussions

  • Raising awareness of an npm RFC PR openjs-foundation/pkg-vuln-collab-space#8

This is similar to CSAF 2.0 and CycloneDX VEX profiles, which allow software authors to similarly write about their evaluation on the practical impact of the vulnerability.

This issue is to keep track of these proposals.

The expected end-goal is to eventually adopt this file format alongside the CSAF 2.0 and CycloneDX VEX profiles.