When I ran depbrief scan against the DepBrief repo itself this morning, it showed 60 security advisories for three packages: @types/node, typescript, and vitest. That seemed wrong. None of those packages have anywhere near 20 known CVEs.
Looking at the output, I saw things like:
@types/node — GHSA-r5fr-rjxr-66jc — lodash vulnerable to Code Injection via _.template
Lodash advisories showing up for @types/node. That's a false positive.
Why it happens
The GitHub Advisory Database API accepts two query parameters: ecosystem and package. When you call:
GET https://api.github.com/advisories?ecosystem=npm&package=@types/node
You'd expect it to return only advisories affecting @types/node. But it doesn't. It returns advisories that affect any package in the npm ecosystem, filtered broadly. The API response includes a vulnerabilities array where each entry specifies which exact package is affected — but the top-level advisory can be for a completely different package.
My original code was including advisories even when the specific vulnerabilities array had no entry matching the package I asked about:
// If no matching vulns found, still include the advisory with empty affected
const affectedFinal = affected.length > 0 ? affected : raw.vulnerabilities.map(v => ({
vulnerableVersionRange: v.vulnerable_version_range,
firstPatchedVersion: v.first_patched_version,
}));That fallback was the bug. If no vulnerability in the advisory matched @types/node, it was using the version ranges from other packages' vulnerabilities and attributing them to @types/node.
The fix
Simple: if no vulnerability in the advisory matches the specific package we asked about, drop the advisory entirely.
const vulns = (raw.vulnerabilities ?? []).filter(
v => v.package?.ecosystem?.toLowerCase() === ecosystem.toLowerCase() &&
v.package?.name?.toLowerCase() === packageName.toLowerCase()
);
// Only include advisory if it has matching vulns for this specific package
if (vulns.length === 0) return null;After this fix: the self-scan shows 0 advisories for @types/node, typescript, and vitest. Which is correct — none of those have known CVEs.
The broader principle
This is exactly why DepBrief exists. Dependency tools that show you noise — false advisories, vague PR descriptions, unverified claims — make you less safe, not more safe. When everything is "critical", nothing is.
Every fact in a DepBrief scan is either verified by static analysis (file paths, import counts, version numbers from the lockfile) or labeled clearly as an assessment. Advisories that don't apply to your specific package don't show up.
The fix is in depbrief@main. If you want to try it: npx depbrief login --token ghp_your_pat && npx depbrief scan .