While looking into something else I came across the Zip Slip vulnerability. Kind of annoying since it’s nearly a year old and I’ve only heard of it now.
Every now and then I keep thinking a neat tool would be something that would run over a project, track every dependency it has and then alert you when there’s a a security issue. However it seems like one of those things people would want but not pay for.
In this case nothing I’m working on is vulnerable to this, but that seems more like luck than good engineering.