Critical Lodash Vulnerabilities (CVSS 8.1) Flagged in 'common' Package, Marked as 'Unreachable'

A critical security scan has flagged eight vulnerabilities within the `common-0.0.0.tgz` package, with the highest severity scoring a CVSS 8.1. The findings, reported via a GitHub issue, indicate a deeply embedded and potentially unaddressed risk in a foundational project dependency. All identified vulnerabilities are linked to a single transitive library, `lodash-4.17.21.tgz`, and are currently marked with a remediation status of 'Not Available' and a 'Reachability' classification of 'Unreachable.' This combination suggests the vulnerable code paths may be difficult to isolate or patch, leaving the system exposed.

The core of the issue lies in the `lodash` utility library, a ubiquitous but aging dependency in the JavaScript ecosystem. Two specific high-severity CVEs are highlighted: CVE-2026-4800 (CVSS 8.1) and CVE-2025-13465 (CVSS 7.2). The 'Unreachable' tag from the scanning tool implies that while the vulnerable library is present in the dependency tree, the specific functions containing the flaws may not be directly invoked by the application's code—a nuance that can lead to complacency or misprioritization in security remediation efforts.

This scenario presents a classic supply chain security dilemma. The 'common' package, often used as a shared internal library, becomes a silent vector for risk. The lack of available fixes ('N/A' for 'Fixed in') and remediation options creates a persistent threat. For development teams, this forces a critical decision: undertake a potentially complex and breaking upgrade of the entire `lodash` dependency chain, accept the risk based on the 'unreachable' assessment, or seek alternative libraries altogether. The incident underscores the operational tension between maintaining legacy code and enforcing modern security postures in software supply chains.