There's discussion in the Node.js ecosystem to create a standard file format to allow Node.js module authors to write a "counterclaim" against a vulnerability with one of its direct or nested dependency.
This is similar to CSAF 2.0 and CycloneDX VEX profiles, which allow software authors to similarly write about their evaluation on the practical impact of the vulnerability.
This issue is to keep track of these proposals.
The expected end-goal is to eventually adopt this file format alongside the CSAF 2.0 and CycloneDX VEX profiles.
There's discussion in the Node.js ecosystem to create a standard file format to allow Node.js module authors to write a "counterclaim" against a vulnerability with one of its direct or nested dependency.
New RFC
Old RFC
Other discussions
This is similar to CSAF 2.0 and CycloneDX VEX profiles, which allow software authors to similarly write about their evaluation on the practical impact of the vulnerability.
This issue is to keep track of these proposals.
The expected end-goal is to eventually adopt this file format alongside the CSAF 2.0 and CycloneDX VEX profiles.