The devDependency watch@1.0.2 uses merge@^1.2.0 which has been show to have a vulnerability. Watch is currently unmaintained, so to fix this issue a new dependency will be needed to replace Watch.
Because Watch is a devDependency, this vulnerability will not affect those using the videoJS-IMA plugin in production. That being said, the IMA team will work to resolve this issue.
Kiro705
commented
2 years ago
The devDependency watch@1.0.2 uses merge@^1.2.0 which has been show to have a vulnerability. Watch is currently unmaintained, so to fix this issue a new dependency will be needed to replace Watch.
Because Watch is a devDependency, this vulnerability will not affect those using the videoJS-IMA plugin in production. That being said, the IMA team will work to resolve this issue.