node dependency sometimes listed as vulnerable sometimes not #149
Description
disclaimer: i am not a nodejs dependency expert
project and lockfile in questionhttps://github.com/hpi-schul-cloud/schulcloud-client/blob/e5275e4b6e3b47a779541128954603a5619a88b9/package-lock.json
mostly trivy lists glob-parent version 3.1.0 as being vulnerable, however sometimes not.
this might be since the dependency is included multiple times due to transitive dependencies
this issue is so common, that i am wondering if we do something wrong or if this is an oversight by the npm parser?
particularly this line sparked my interest:
go-dep-parser/pkg/nodejs/npm/parse.go
Line 59 in 60502da
is this some kind of race condition?