19 Jun
2026
19 Jun
'26
10:23 a.m.
Presumably the limited uses of those packages within the doc generation aren't actually affected by most of the CVEs, e.g. I doubt anybody is concerned about information leakage or a proxy bypass when Axios is used to fetch some files during the doc generation step. But again, the scanners don't understand such nuances.
I get that. We had also trouble with test certificates that were used in CI to verify the TLS integration. They were flagged as if we had committed our .env to the repo ;). We've eventually got rid of these too.
Thanks for everybody's prompt responses to this (and to Sam for pointing me to the release tools change that removed them from the snapshots).
Thank you for reporting the issue.