Deprecated dependency should be reported
Description
- At the moment, dependencies that are deprecated with no CVE are not flagged by Dependency Scanning.
- Github and Synk has provided an alert for libraries such as fsevents v1.2.7.
Customer
https://gitlab.my.salesforce.com/00161000017upDbAAI
Proposal
A customer provided this feedback on a feature request.
Having a list of depreciated libraries is useful for our tracking as well. In this library case it got flagged in Github and Snyk advisory databases despite no CVE attached , would be helpful to receive such findings in our Gitlab scans as well along with list of depreciated libraries
Output a report from dependency scanning to show if a package has been deprecated/replaced/version EOL which does not necessarily have a CVE attached to it.
Links
https://www.npmjs.com/package/fsevents/v/1.2.7