I use dependency-scan and it worked out like this.
urijs
urijs <=1.19.10
Severity: high
Incorrect protocol extraction via \r, \n and \t characters - https://github.com/advisories/GHSA-3vjf-82ff-p4r3
URL Confusion When Scheme Not Supplied in medialize/uri.js - https://github.com/advisories/GHSA-g694-m8vq-gv9h
Hostname spoofing via backslashes in URL - https://github.com/advisories/GHSA-89gv-h8wf-cg8r
Open Redirect in urijs - https://github.com/advisories/GHSA-8h2f-7jc4-7m3m
Leading white space bypasses protocol validation - https://github.com/advisories/GHSA-gmv4-r438-p67f
Authorization Bypass Through User-Controlled Key in urijs - https://github.com/advisories/GHSA-gcv8-gh4r-25x6
xml2js
xml2js <0.5.0
Severity: moderate
xml2js is vulnerable to prototype pollution - https://github.com/advisories/GHSA-776f-qx25-q3cc
fix available via `npm audit fix --force`
Will install aws-sdk@2.1418.0, which is outside the stated dependency range
node_modules/xml2js
aws-sdk <=2.1353.0
Depends on vulnerable versions of xml2js
node_modules/aws-sdk
I use dependency-scan and it worked out like this.
urijs
xml2js