We're getting a large number of component governance alerts because certain VSCode built-in extensions (handlebars, npm, json, etc.) have the same package names as NPM packages. The alerts are false on multiple levels--firstly, they're in .vscode-test which should not be scanned, and secondly, they aren't the actual NPM packages--just the package name and version matches a vulnerable NPM package.
We're getting a large number of component governance alerts because certain VSCode built-in extensions (
handlebars,npm,json, etc.) have the same package names as NPM packages. The alerts are false on multiple levels--firstly, they're in.vscode-testwhich should not be scanned, and secondly, they aren't the actual NPM packages--just the package name and version matches a vulnerable NPM package.This should suppress those CG alerts.