Request: npm/execa/GMS-2020-2.yml add Clarification and Example Exploit

Would like to request:

• additional information be added to the description of this vulnerability: some of my confusion stems from the the configuration option preferLocal which could mean "prefer binaries installed in ./node_modules or could mean "prefer binaries installed in $PATH".
• a bit of description about how an the vulnerability might be exploited - for instance, an author of an npm module might have to include a binary that would/could be executed in ./node_modules (in which case it feels like whomever installed the module would be at fault for installing a malicious module) or someone with access to a system would have to place a script in the $PATH or somehow modify $PATH to include an additional path in order to alter the function of the binary called by execa