OpenStreetMap iD Editor PR Aims to Suppress CVE-2024-6485 Vulnerability Scanner Alerts

A proposed code change for the OpenStreetMap iD Editor seeks to remove a specific folder to prevent automated security scanners from flagging a known vulnerability. The pull request explicitly targets the 'node_modules/leaflet-draw/docs/examples-0.7.x' directory, which contains an HTML file linking to an outdated and vulnerable version of Bootstrap (v3.3.7). This version is associated with CVE-2024-6485. The change is framed as a measure to avoid false-positive or nuisance reports from vulnerability scanning tools, rather than directly patching the underlying library.

The issue originates from a dependency chain. The `leaflet-draw` library, used for map editing features, includes example documentation that references an external, vulnerable Bootstrap CDN link. Since this file is not required for the core application's runtime but resides within the installed `node_modules`, it can be detected by security audits. The PR also includes a separate update to the `tmp` dependency from version 0.2.3 to 0.2.5, indicating broader maintenance alongside the primary security-alert mitigation.

This approach highlights a common tension in software maintenance: managing security compliance signals versus addressing actual runtime risks. By deleting the example folder, the project aims to clean its security report without altering functional code. However, it leaves the actual vulnerable Bootstrap script referenced externally, raising questions about the completeness of the fix if the example code were ever executed. The change resolves GitHub issue #11273 and partially addresses #10376, linking it to ongoing project hygiene and security posture efforts.