Support Yarn's `--exclude`

[sargunv]

Certain dependencies will cause NPM's quick audit endpoint to return a 400 Bad Request error, which bubbles up to yarn npm audit failing with that error and audit-ci failing with an "Invalid JSON" error.

Normally, we can work around this with yarn npm audit --exclude <pkg>, but currently there's no way to pass such excludes to Yarn when running it with audit-ci.

Would an "exclude" feature in audit-ci be acceptable? If so, I can start working on a PR.

[quinnturner]

I was not aware of this. Absolutely, I would support passing this argument.

One point of debate is whether we should just go ahead and have some approach of passing in extra arguments directly to auditors vs. making an --exclude flag.

Making a Yarn-exclusive flag would be a first. Perhaps we can have an --extra-arguments flag which would append whatever is provided to the underlying auditor directly.

[sargunv]

One point of debate is whether we should just go ahead and have some approach of passing in extra arguments directly to auditors vs. making an --exclude flag.

This sounds like a good idea to me. Happy to start a PR this week