fix: audit package mismatch in special case

Author: fritzy

workspaces/arborist/lib/arborist/build-ideal-tree.js

@@ -619,14 +619,16 @@ module.exports = cls => class IdealTreeBuilder extends cls {
             continue
           }
 
-          const { isSemVerMajor, version } = fixAvailable
+          // name may be different if parent fixes the dep
+          // see Vuln fixAvailable setter
+          const { isSemVerMajor, version, name: fixName } = fixAvailable
           const breakingMessage = isSemVerMajor
             ? 'a SemVer major change'
             : 'outside your stated dependency range'
-          log.warn('audit', `Updating ${name} to ${version}, ` +
+          log.warn('audit', `Updating ${fixName} to ${version}, ` +
             `which is ${breakingMessage}.`)
 
-          await this[_add](node, { add: [`${name}@${version}`] })
+          await this[_add](node, { add: [`${fixName}@${version}`] })
           nodesTouched.add(node)
         }
       }

workspaces/arborist/lib/vuln.js

@@ -65,6 +65,9 @@ class Vuln {
     // - {name, version, isSemVerMajor} fix requires -f, is semver major
     // - {name, version} fix requires -f, not semver major
     // - true: fix does not require -f
+    // TODO: duped entries may require different fixes but the current
+    // structure does not support this, so the case were a top level fix
+    // corrects a duped entry may mean you have to run fix more than once
     for (const v of this.via) {
       // don't blow up on loops
       if (v.fixAvailable === f) {