In the world of CVEs, we know there’s a lot of noise, which is why we want to hear directly from you (our partnered maintainers) about the CVEs that matter—and the ones that don't. To do this, we designed a task flow that allows you to flag false positives or describe the specifics of when a vulnerability applies.
For each security vulnerability we find on your package, you’ll be guided through a series of questions that help us understand if the vulnerability is of concern, and when. We then use this data to help users of your package prioritize and address these security issues.