There is a reported vulnerability in showdown <= 2.1.0 https://nvd.nist.gov/vuln/detail/CVE-2024-1899 which affects this package. However it looks like it's not even used anymore:
https://github.com/search?q=repo%3APatternslib%2FPatterns%20showdown&type=code. Can it just be removed as a dependency?
For what it's worth, at my company we use https://www.npmjs.com/package/@cyclonedx/cyclonedx-npm to build a software bill of materials (SBOM) and upload this to an OWASP service. All it does is cross reference package versions with sources of known vulnerabilities, it doesn't actually inspect to code to see if or how its used. So this got flagged simply because the dependency was listed in package.json.
There is a reported vulnerability in showdown <= 2.1.0 https://nvd.nist.gov/vuln/detail/CVE-2024-1899 which affects this package. However it looks like it's not even used anymore:
https://github.com/search?q=repo%3APatternslib%2FPatterns%20showdown&type=code. Can it just be removed as a dependency?
For what it's worth, at my company we use https://www.npmjs.com/package/@cyclonedx/cyclonedx-npm to build a software bill of materials (SBOM) and upload this to an OWASP service. All it does is cross reference package versions with sources of known vulnerabilities, it doesn't actually inspect to code to see if or how its used. So this got flagged simply because the dependency was listed in package.json.