Discussions

Hey folks, I’m a junior dev and we just integrated an SCA tool into our CI pipeline for a Node.js project. It immediately flagged a high-severity RCE in a transitive dependency that’s three levels deep. The direct library we depend on hasn’t updated in months, and the repo seems abandoned. My manager expects me to either fix it or document why it’s a false positive. I’m not experienced enough to assess exploitability properly—if the vulnerable function is never invoked in our code, does that make it safe to suppress? Also, can I use an override or patch-package to force a fix without upstream? I’m worried about breaking things or introducing regressions. I’ve never handled SCA alerts before, so a step-by-step approach would really help. Any tips on how to handle these findings responsibly?