Reports received continously

[airween]

Select Topic Area

Question

Body

Hi all,

we have a Hugo based site served by GH pages. Hugo has a template which had an "exampleSite" directory.

That directory had several npm packages, which had many issues. Because we don't use that directory (the "exampleSite"), I removed it from our repository.

Despite of this, I continuously received the notifications about a bug (in e-mail), but when I check the link, the report is empty:

https://github.com/advisories/GHSA-5gfm-wpxj-wjgq/dependabot?query=user:owasp-modsecurity

In the mail I got this message:
"1 repository in your owasp-modsecurity organization might be affected by a security vulnerability in node-forge.

node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization

[High severity]

node-forge

CVE-2025-12816

owasp-modsecurity/website

• themes/dot-org-hugo-theme/exampleSite/package-lock.json"

Is it possible to stop this report? The mentioned file no longer exists.

[jayenashar]

duplicate of #180862?

[airween]

Very similar - I got exactly the same message, with the same CVE.

(On the mentioned screenshot it seems like the user got several different CVE's)

[jayenashar]

Very similar - I got exactly the same message, with the same CVE.

(On the mentioned screenshot it seems like the user got several different CVE's)

i'm not sure. the first and last were CVE-2025-12816 only but all are node-forge, same as you. i only recently set up dependabot for these repos so there may be more CVE's due to very old packages.