You have to be careful when depending on packages that are Github-hosted: if you’re just pointing to the master branch of a package (which is the default when adding such dependencies), you can get in all sorts of trouble when that branch is updated and it’s either not functional (it happens) or it breaks backward compatibility (that happens too).
I think this is what npm is trying to tell you.
FWIW, you should always include an identifier to a particular commit/tag/sha when you’re dealing with Github-hosted dependencies. See this for more documentation. Although I doubt that npm won’t also mark these URL’s as red, because it’s still possible for any of those identifiers to get invalidated.
EDIT: perhaps not quite.
Looking at it a little closer, it’ll show the package name in red if the installed version doesn’t (semver-)match the required version as set in package.json. In case of Github-hosted packages these will probably never match, hence the red.
Yellow is used when the installed version matches the required version, but there’s a more recent version available in the NPM repository.