Answer my own questions

feelepxyz · feelepxyz · commit e362a404213d · 2022-05-10T16:35:16.000+01:00
diff --git a/lib/commands/audit.js b/lib/commands/audit.js
@@ -227,11 +227,14 @@ class VerifySignatures {
     const node = edge.to || edge
     const { path, location } = node
     const { version } = node.package || {}
-    // QUESTION: Do we need to handle `latest`?
+
+    // Skip packages that don't have a installed version, e.g. optonal dependencies
     if (!version) {
       return
     }
+
     const type = edge.optional ? 'optionalDependencies'
+      : edge.bundled ? 'bundledDependencies'
       : edge.peer ? 'peerDependencies'
       : edge.dev ? 'devDependencies'
       : 'dependencies'
@@ -242,17 +245,13 @@ class VerifySignatures {
       }
     }
 
-    // QUESTION: Confirm, is this the right thing to do here?
-    //
-    // deps different from prod not currently
-    // on disk are not included in the output
+    // Skip potentially optional packages that are not on disk, as these could
+    // be omitted during install (e.g. via `--only=prod`)
     if (edge.error === 'MISSING' && type !== 'dependencies') {
       return
     }
 
-    // QUESTION: Confirm, is this the right thing to do here?
-    //
-    // if it's not a range, version, or tag, skip it
+    // Skip if the package is not in a registry, e.g. local workspace package
     try {
       if (!npa(`${edge.name}@${edge.spec}`).registry) {
         return null
