The fix for this vulnerability involved changing a dependency definition file.
Systems often have a large list of dependencies, and will sometimes report their dependencies' vulnerabilities as their own. Sometimes the mistake is a combination of the proeject and its dependency, sometimes the fix for the vulnerability is to simply update the version. Either way, the software **supply chain** is a key part of these vulnerabilities.
The Vulnerability History Project