AIM: we are trying to fix CVEs reported in an angular project (scanned using trivy scanner).
Problem: None of the packages mentioned as vulnerable(as per trivy report) are direct dependent packages (not present in package.json) and is already used as their latest version not able to fix these issues.
so, should we really scan yarn.lock files for CVEs (all the issues reported are from yarn.lock file).
PS: if there are any alternatives to fix CVEs (for 2nd-degree dependent packages), suggestions would be helpful
. tried updating the package mentioned, but most of them are already in their latest versions