It depends. Just because it's a testing framework, doesn't mean you won't install the package in production.
The first thing I'd do is to ensure it's included in your devDependencies section of package.json (you can run npm audit fix --only=prod to run audit against only production dependencies).
It also depends on what the vulnerability is. Can some time to assess the vulnerability, and if it's going to affect your app.
Lastly, you have to assess whether the effort to fix the vulnerability is worth it which again depends on what the actual vulnerability is.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
It depends. Just because it's a testing framework, doesn't mean you won't install the package in production.
The first thing I'd do is to ensure it's included in your
devDependencies
section ofpackage.json
(you can runnpm audit fix --only=prod
to runaudit
against only production dependencies).It also depends on what the vulnerability is. Can some time to assess the vulnerability, and if it's going to affect your app.
Lastly, you have to assess whether the effort to fix the vulnerability is worth it which again depends on what the actual vulnerability is.