Is retireignore ignored?

Retire.js version: (retire --version): 2.0.3

node version: (node --version): v8.16.0

Type: Bug/Question

Description: I installed retire.js globally and call it in my project folder. I copied he example ignore file from https://github.com/RetireJS/retire.js/blob/master/example.retireignore.json into my folder as I don't want the node_modules folder to be scanned. I call retire from Windows cmd and still see the following lines in the result.

node_modules\extend/package.json
 ↳ extend 3.0.1
extend 3.0.1 has known vulnerabilities: severity: critical; summary: Prototype pollution attack; https://hackerone.com/reports/381185
node_modules\lodash/package.json
 ↳ lodash 4.17.10
lodash 4.17.10 has known vulnerabilities: severity: low; summary: Prototype pollution attack; https://hackerone.com/reports/380873
node_modules\mixin-deep/package.json
 ↳ mixin-deep 1.3.1
mixin-deep 1.3.1 has known vulnerabilities: severity: high; summary: Prototype pollution attack, CVE: CVE-2019-10746; https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212
node_modules\uglify-js/package.json
 ↳ uglify-js 2.4.24
uglify-js 2.4.24 has known vulnerabilities: severity: medium; https://nodesecurity.io/advisories/48
node_modules\main-bower-files\node_modules\extend/package.json
 ↳ extend 2.0.1
extend 2.0.1 has known vulnerabilities: severity: critical; summary: Prototype pollution attack; https://hackerone.com/reports/381185
node_modules\jshint\node_modules\lodash/package.json
 ↳ lodash 3.7.0
lodash 3.7.0 has known vulnerabilities: severity: low; summary: Prototype pollution attack; https://hackerone.com/reports/310443 severity: low; summary: Prototype pollution attack; https://hackerone.com/reports/380873

How do I exclude the node_modules folder effectively? Do I have to provide a pattern? An absolute path?

A call to retire --ignore node_modules also delivers the said results.

Best, Bernhard

RetireJS / retire.js

Is retireignore ignored? #305