Closed mlieberman85 closed 3 weeks ago
You don't have a dependency on cookie@0.5.1
, you've got a dependency on @types/cookie@0.5.1
which is a different package (specifically, it's the TypeScript types for the cookie
package, provided by DefinitelyTyped): https://www.npmjs.com/package/@types/cookie
Oops, my bad. Thanks! I'll close this.
No worries, better safe than sorry ay!
The following SBOM includes multiple versions of the
npm
packagecookie
. OSV-Scanner finds most of the vulns for the various version of cookie. However it misses0.5.1
. I will also look for other false negatives as well.Link to SBOM - https://raw.githubusercontent.com/guacsec/guac-data/refs/heads/main/top-dh-sboms/rocket.chat.json
Steps to replicate:
Relevant part of output:
Note:
0.5.0
is found but not0.5.1
Relevant part of the SBOM: