A project is known to have vulnerabilities reported in releases
The given project has considerably large amount of vulnerabilities reported.
The fact a project has vulnerabilities reported does not mean the given project has low quality. Note the CVE vulnerabilities are reported to projects that are actively used and have active community that reports vulnerabilities.
This justification notifies you that the project is known to have vulnerabilities reported in one or more releases but the vulnerabilities do not necessarily affect the version present in the resolved lock file - see CVE information in justifications for known vulnerabilities associated with the resolved version.
If a project has a large number of vulnerabilities reported, it might indicate possible future vulnerability disclosures. It might worth to keep an eye on the application that uses the given project and be additionally guided with respect to security. See Thoth’s security advisories for more info.
See justification message to see affected package.