But when you look at the advisory it's an edge case: it's a vulnerability that is only present when you take user input and put it into a template. NPM's audit is very paranoid and that's OK. Better to get notified about all potential failures IMO.
Then I run a why and get a lot of output similar to this:
jest-cli@"^27.2.4" from firstname.lastname@example.org
dev jest@"^27.2.4" from the root project
peer jest@"^27.0.0" from email@example.com
dev ts-jest@"^27.0.5" from the root project
So the conclusion seems to be that ts-jest is importing too much of Lodash.
I'd like ts-jest to not result in audit failures.
I'm getting audit failures.
I don't think this is relevant here.
We solve this by importing the mini-packages like lodash.range. It looks this is feasible here as well.
I'm open to making a PR for this if the team is willing to consider this change.