Vulnerable dependencies (indirect security issues)
davidz1337 opened this issue · 2 comments
Hello maintainers,
I wanted to bring to your attention that after installing the package, I ran a vulnerability scan with vulert abom on the lock file and discovered that there are over 5 vulnerable dependencies present. As these vulnerabilities can potentially impact the security of the entire project, I am unsure whether to report this under responsible disclosure.
For your reference, here is a link to the report of the package-lock file I scanned: https://vulert.com/vuln-scan/list/edf35b30-d54a-4cfa-9c8c-8f3fb523da6c
I recommend that we take immediate action to address these vulnerabilities and ensure the security of the project. Please let me know if you require any further information.
P.S. this is the lock file i scanned: https://github.com/motdotla/dotenv/blob/master/package-lock.json
Thank you.
This is my first time seeing vulert.
dotenv is a zero-dependency npm package so these are developer dependencies only.
That said, we do address these one as a time as they come up for those contributing to dotenv. We'll be looking at these soon as well.
Going to close this as we rely on GitHub's Security features for this.