jgonggrijp
commented
1 year ago @RahatFatimah Thank you for taking the time to report this.
For clarity, these vulnerabilities do not affect end users, because the dependencies are only used during development.
You are welcome to submit a pull request updating the dependencies. We normally update these as we prepare for the next release.
Next time you suspect a security leak, please do not submit an issue ticket but email us instead, as instructed in the security policy.
Hello maintainers,
I wanted to bring to your attention that after installing the package, I ran a vulnerability scan with vulert abom on the lock file and discovered that there are over 27 vulnerable dependencies present. As these vulnerabilities can potentially impact the security of the entire project, I am unsure whether to report this under responsible disclosure.
For your reference, here is a link to the report of the package-lock file I scanned: https://vulert.com/vuln-scan/list/184a493a-d08e-42f2-9282-0e77dd6038f4
I recommend that we take immediate action to address these vulnerabilities and ensure the security of the project. Please let me know if you require any further information.
P.S. this is the lock file I scanned: https://github.com/jashkenas/underscore/blob/master/package-lock.json
Thank you.