[BUG] npm audit recommends reverting to a different version that contains even more vulnearbilities

[PCOffline]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

I am using [email protected], which is dependent on a vulnerable version of jsonwebtoken.
npm audit offers to revert to [email protected] if I use the --force flag.

[email protected] however, contains 11 vulnerabilities which npm fails to warn about before downgrading.

Expected Behavior

I would expect the behaviour to prefer fewer vulnerabilities (especially when 2.5.2 has 3 critical and 3 high vulnerabilities, while 3.84.1 has 1 high and 1 moderate), or at the very least warn of existing vulnerabilities in the offered version.

Steps To Reproduce

1. npm init
2. npm i [email protected]
3. npm audit
4. npm audit fix --force

Environment

• npm: 9.3.1
• Node.js: 16.19.0
• OS Name: Windows 10 Pro 10.0.19044
• System Model Name: HP EliteDesk 800 G4 DM 65W
• npm config:

; "builtin" config from C:\Program Files\nodejs\node_modules\npm\npmrc

prefix = "C:\\Users\\Ldar\\AppData\\Roaming\\npm"

; node bin location = C:\Program Files\nodejs\node.exe
; node version = v16.19.0
; npm local prefix = C:\Users\Ldar\Documents\Code\sample-project
; npm version = 9.3.1
; cwd = C:\Users\Ldar\Documents\Code\sample-project
; HOME = C:\Users\Ldar
; Run `npm config ls -l` to show all defaults.

[PCOffline]

Bumping this