This action checks that no compromised packages are referenced in any package-lock.json files in your repository, using a list of bad versions that's fetched from a URL of your choice.