Vulnerable dependencies (indirect security issues)

Question

Vulnerable dependencies (indirect security issues)

davidz1337 opened this issue a year ago · 4 comments

Hello maintainers,

I wanted to bring to your attention that after installing the package, I ran a vulnerability scan with vulert abom on the lock file and discovered that there are over 44 vulnerable dependencies present. As these vulnerabilities can potentially impact the security of the entire project, I am unsure whether to report this under responsible disclosure.

For your reference, here is a link to the report of the package-lock file I scanned: https://vulert.com/vuln-scan/list/c4930ba5-36e1-42b7-bc77-a45c8ee6cb82

I recommend that we take immediate action to address these vulnerabilities and ensure the security of the project. Please let me know if you require any further information.

P.S. this is the lock file i scanned: https://github.com/petkaantonov/bluebird/blob/master/package-lock.json

Thank you.

Answer 1 · 2023-07-14T06:18:04.000Z

Bluebird has no dependencies 🤔 ?

https://github.com/petkaantonov/bluebird/blob/master/package.json nothing under "dependencies" here.

Or do you mean when locally working on bb dev?

Answer 2 · 2023-07-14T16:06:35.000Z

hmm, but in package-lock there are many dependencies, did you check https://github.com/petkaantonov/bluebird/blob/master/package-lock.json ?

Answer 3 · 2023-07-15T17:36:09.000Z

@RahatFatimah what exactly do you think the package-lock does?

Answer 4 · 2023-11-24T09:17:16.000Z

Bluebird itself does not have any runtime dependencies. The dependencies you see in package-lock.json are dependencies of its development dependencies.