Critical 8.1 CVSS Vulnerability in 'config-0.0.0.tgz' Package, Marked as Unreachable

A critical security scan has flagged the `config-0.0.0.tgz` package with three high-severity vulnerabilities, including one rated 8.1 on the CVSS scale. The findings originate from a transitive dependency on `lodash-4.17.21.tgz`, a widely used JavaScript utility library. The most alarming aspect is that all three vulnerabilities are currently marked as 'Unreachable' by the scanning tool, indicating the vulnerable code paths may not be directly exploitable in the current application context, yet they remain present and unpatched.

The vulnerabilities are identified as CVE-2026-4800 (CVSS 8.1) and CVE-2025-13465 (CVSS 7.2). The scan report explicitly states there is no remediation available ('Fixed in: N/A') for these specific issues in the identified library version. This creates a persistent, unresolved risk embedded within the project's dependency tree. The path to the vulnerable library is traced through `/packages/config/package.json`, highlighting a potential weak point in the software supply chain for any project relying on this configuration package.

The situation presents a classic software supply chain dilemma: high-severity flaws exist in a foundational library, but their 'unreachable' status complicates the risk assessment and remediation priority. For development and security teams, this forces a decision between accepting the theoretical risk, attempting to replace the dependency entirely, or waiting for upstream patches that do not yet exist. The presence of such vulnerabilities, even if not immediately exploitable, increases the attack surface and technical debt, demanding scrutiny in any security-conscious deployment pipeline.