Hey @souhailaS,

This case might be useful for your research. If multiple npm i / npm ci calls are performed in the same environment combinations, there is no point in auditing vulnerabilities each time (npm install does this by default). It is enough in one place, we do this as a separate step, so we deactivated implicit auditing for the remaining calls via npm config preset. Internally, the audit operation is quite resource-intensive: advisories are requested in several batches and applied to the current dependency tree, matching CVE-affected version ranges for each nested package.

thanks a lot for the insight @antongolub !