Vulnerabilities in node_modules

[wyattw-orca]

Hello! Our scans are picking up several vulnerable packages in the node_modules folder. These are coming from the contributor-faces dependency in package.json. I'm sorry that I can't provide a PR but I'm not sure where that is being added in the build process, and there are no new releases of that dependency either.

For reference, the CVEs are: CVE-2020-28469 affecting glob-parent 2.0.0 CVE-2021-33623 affecting trim-newlines 1.0.0 CVE-2022-33987 affecting got 10.7.0 CVE-2018-1109 affecting braces 1.8.5 CVE-2020-7608 affecting yargs-parser 7.0.0

[danihodovic]

How is this practically a CVE? I only use contributor-faces to generate contributors for the README. It's not used at runtime.

[wyattw-orca]

Our software scans and reports on all files in an image. I think I may have jumped the gun and this isn't a vulnerability. Sorry about that!