Ignoring the silly vulnerability Marketing Name, the part I found shocking here is that apparently URL-based dependencies in package.json (deps that just point to an arbitrary URL rather than pointing to another NPM package name) are ignored by a lot of tools that are supposed to scan or give information about dependencies.

This means deps that are possibly the most concerning and deserve extra caution might be hiding in plain sight, not showing up in basic checks.