How can I report and track vulnerabilities related to dependencies of the Node-RED project? My organization uses OWASP Dependency-Check to scan our projects for vulnerabilities. This is flagging the
css-what dependency, which is a grandchild dependency of
+-- firstname.lastname@example.org | +-- @email@example.com | | +-- firstname.lastname@example.org | | | +-- email@example.com | | | | +-- firstname.lastname@example.org
On Github there is documentation for reporting security vulnerabilities, but I figure that is for reporting security vulnerabilities in the Node-RED source code, rather than a dependency. Since I cannot override the version of
css-what that gets resolved in the dependency tree it would be useful to know if/when Node-RED will upgrade the necessary dependencies to non-vulnerable versions.