I hope this message finds you well. I am writing to notify you about a potential security issue regarding the package we recently installed. Upon running a vulnerability scan via Vulert on the lock file, I uncovered a total of 8 vulnerable dependencies.
Recognizing the potential security risk these vulnerabilities pose to our project, I am unsure about the protocol for reporting under responsible disclosure. I note that some dependencies are for development only. However, given their presence in the lock file, they might appear in the vendor folder, and thus, I believe their management is crucial.
I strongly suggest that we promptly address these vulnerabilities to ensure our project's security. If you need more information or clarification, please feel free to reach out to me.
Dear Maintainers,
I hope this message finds you well. I am writing to notify you about a potential security issue regarding the package we recently installed. Upon running a vulnerability scan via Vulert on the lock file, I uncovered a total of 8 vulnerable dependencies.
Recognizing the potential security risk these vulnerabilities pose to our project, I am unsure about the protocol for reporting under responsible disclosure. I note that some dependencies are for development only. However, given their presence in the lock file, they might appear in the vendor folder, and thus, I believe their management is crucial.
For a more detailed look, you can find the scanned package-lock file report at the following link: https://vulert.com/vuln-scan/list/dab47a1b-ad2d-45c0-965c-f222a52bdfa3
I strongly suggest that we promptly address these vulnerabilities to ensure our project's security. If you need more information or clarification, please feel free to reach out to me.
In addition, you can find the scanned lock file at this location: https://github.com/webpack-contrib/style-loader/blob/master/package-lock.json
Looking forward to your prompt response.
Best regards.