Since 12/01/2023 Fortify throw a vulnerability by version 1.0.6 of Inflight library. The last version of Jest has the last version of Glob fixed but their packages still have a vulnerable version on Glob (8xx version). Can you update the packages to the last version oh Glob to clean the Fortify & Snyk reports?
I've try with the script of this post but still the vulnerability exists, in fact there is another one. Maybe I can try updating my Angular version to 16, but I think that if Jest package's has the dependency, our problems will keep on the Fortify reports.
While going through SOC compliance, I ran into the same problem. The solution I opted in for,
Move all the Jest related packages from "dependencies" to "devDependencies" in your
package.jsonduring your prod/demo servers deployment change your dependencies install to add production flag.
pnpm i --productionornpm i --productionThis will make sure to only install "dependencies" packages only in your prod/demo envs. However keep circle or whatever testing pipeline you have to usually pnpm install.
Prod stacks stay clean of any vul.