Hi. I ran osv-scanner on a databricks/app-template template and encountered a potential false positive match.
The project's package-lock.json includes a package which is a link to a local path.
"node_modules/@chat-template/auth": {
"resolved": "packages/auth",
"link": true
},
However, osv-scanner flags this against MAL-2026-5124, which is a malicious package advisory intended for the @chat-template/auth npm registry package (no longer available apparently).
Considering the package is a link to a local directory, and not the npm package - I think this is a false positive.
Possible related issues:
#1861
google/osv-scalibr#808
Thanks
Hi. I ran osv-scanner on a databricks/app-template template and encountered a potential false positive match.
The project's package-lock.json includes a package which is a link to a local path.
However, osv-scanner flags this against MAL-2026-5124, which is a malicious package advisory intended for the @chat-template/auth npm registry package (no longer available apparently).
Considering the package is a link to a local directory, and not the npm package - I think this is a false positive.
Possible related issues:
#1861
google/osv-scalibr#808
Thanks