Comment by vladvasiliu
3 years ago
If it's the kind of report I've seen, it could've been along the lines of Package version X.Y.Z comes with M module which has V vulnerability. Upgrade to X.Y.Z+1, which patched it. They don't actually look at the enabled modules.
I thought it might be that. Yeah.
Yes, it was exactly like that.