Due to the caching added to the npm audit implementation https://github.com/sonatype/nexus-internal/blob/59ef3f717a6e2cffc4dd6188ba8aedbfbeb8c2bb/plugins/nexus-repository-npm/src/main/java/org/sonatype/nexus/repository/npm/internal/NpmAuditFacet.java#L265
there may be situations were the cache is different on nodes in a HA environment.
- User runs npm audit hitting node 1 and caches the results
- Vulnerability on a component updated
- User runs npm audit hitting node 2 and caches new results with a vulnerability
- user A doesnt address the vuln
- Sometime later the user goes to address the vulnerability, runs npm audit again, hitting node 1 and no longer sees the vulnerability