detected a "new" vulnerbility which was already in the project

[Loki-Afro]

when updating a dependency, dependency-review blocked complained because it found a "new" vulnerability

but that vulnerability was already in the code, so it should not have blocked that pr.

keep in mind that this is an npm project, you can also find the specific commit here: https://github.com/hpi-schul-cloud/schulcloud-server/commit/ffc78d56f2293bc2e8312f2bc1205d5b435ee722

here are the results from the logs

Dependency review did not detect any denied packages
Vulnerabilities
  package-lock.json » mongodb@4.11.0 – MongoDB Driver may publish events containing authentication-related data (moderate severity)
    ↪ https://github.com/advisories/GHSA-vxvm-qww3-2fh7
  Error: Dependency review detected vulnerable packages.
Licenses
Denied
Dependency Changes
  File: package-lock.json
  + mongodb@4.11.0
  - mongodb@4.11.0
  - mongodb@4.9.1
  + @mikro-orm/core@5.5.3
  + @mikro-orm/mongodb@5.5.3
  + dotenv@16.0.3
  + mikro-orm@5.9.3
  - @mikro-orm/core@5.4.2
  - @mikro-orm/mongodb@5.4.2
  - denque@2.1.0
  - dotenv@16.0.2
  - mikro-orm@5.4.2
  File: package.json
  + @mikro-orm/core@^5.5.3
  + @mikro-orm/mongodb@^5.5.3
  - @mikro-orm/core@^5.4.2
  - @mikro-orm/mongodb@^5.4.2

i guess this is due to that this dependency was installed twice, or in other words, it was present multiple times in the package-lock.json file, probably once installed like so node_modules/some-dep/node_modules/mongodb i'm not an npm expert but given that one flatten the results afterwards anyway, shouldn't it just dismiss this issue?

  File: package-lock.json
  + mongodb@4.11.0 <---
  - mongodb@4.11.0 <---
  - mongodb@4.9.1

=

  - mongodb@4.9.1

[febuiles]

@Loki-Afro The Action will block any PR containing vulnerable dependencies, even if they already existed in the code (as long as the manifest file is touched). I recommend using the allow-ghsas configuration option to make an exception for existing vulnerabilities you're already aware of.