Updating from 5.3.2 to 6.0.1 in angular project

Hello, if I update the Dependency-Check-Maven-Plugin from 5.3.2 to 6.0.1 without further changes in my configuration, the build is interrupted (as configured) while new vulnerabilities are found. That’s okay, but in contrast to 5.3.2, where 2 vulnerabilities were found, version 6.0.1 now finds 2290 … And that surprises me a little.

After looking around I set up a little demo project with just a pom.xml, a package.json and a owasp-exclude.xml. And it looks as the plugin now will find any vulnerabilty for the devDependencies in package.json

So the questions for is now: Is there something I can do ? Can I suppress the scanning of devDependencies (setting nodeAuditSkipDevDependencies to false true does not work)?

Runs executed on 18th of September 2020, at around 08:45CEST

• run1: mvn clean verify produces 0 vulnerabilities
• run2: mvn clean verify -Ddependency-check-maven.version=6.0.1 produces 2289 vulnerablities in 82 dependencies
• run3: devDependencies removed from package.json mvn clean verify -Ddependency-check-maven.version=6.0.1 will produce again 0 vulnerabilities

The pom.xml (with plugin version 5.3.2), package.json and owasp-exclude.xml are attached as 03_demo.zip 03_demo.zip

The created reports of the three runs are attached as reports.zip reports.zip