I hope this message reaches you in robust health. I am writing to bring your attention to a possible security issue which I've detected in our recently implemented package. My security analysis using Vulert on the lock file has drawn attention to the existence of over three potentially hazardous dependencies.
Acknowledging the immense risk these vulnerabilities can pose to our project, I am not clear about the most suitable course of action for responsible revelation. We need to keep in mind that even though some of these dependencies are only for development, their inclusion in the lock file indicates they may appear in the vendor directory, and thus, managing them is crucial.
I recommend we act swiftly to mitigate these vulnerabilities and protect our project's security. Should you need further information or a detailed clarification, please feel free to reach out to me.
Hello Team,
I hope this message reaches you in robust health. I am writing to bring your attention to a possible security issue which I've detected in our recently implemented package. My security analysis using Vulert on the lock file has drawn attention to the existence of over three potentially hazardous dependencies.
Acknowledging the immense risk these vulnerabilities can pose to our project, I am not clear about the most suitable course of action for responsible revelation. We need to keep in mind that even though some of these dependencies are only for development, their inclusion in the lock file indicates they may appear in the vendor directory, and thus, managing them is crucial.
To fully understand the situation, the vulnerability scan report of the package-lock file is available for your perusal at this link: https://vulert.com/vuln-scan/list/bef19fda-7155-45ef-8468-bc045b358845
I recommend we act swiftly to mitigate these vulnerabilities and protect our project's security. Should you need further information or a detailed clarification, please feel free to reach out to me.
For your convenience, the scanned lock file is available at this address: https://github.com/babel/ember-cli-babel/blob/master/yarn.lock
Your prompt attention and action on this matter is greatly anticipated.
Best regards.