The npm CLI's security feature, which checks for vulnerabilities in packages and their dependencies, exhibits a significant flaw when dealing with package versions that include a hyphen, which are considered pre-release versions according to Semantic Versioning. This flaw prevents npm from reporting known vulnerabilities for such packages, as demonstrated by a discrepancy between npm and JFrog Xray in detecting vulnerabilities in the package cruddl 2.0.0-update.2. The npm Bulk Advisory endpoint fails to retrieve advisories for these versions due to its handling of pre-release tags, which could be exploited by attackers to evade security checks. Developers are advised to avoid installing pre-release npm packages unless they are from a highly reputable source, and to return to non-pre-release versions as soon as possible.