Request to review GHSA-gwr8-m965-83p4

[spack-vendavo]

This demo package was published by an authorized pen tester working with Vendavo, Inc. It was not downloaded by anyone; the pezzi package is only consumed from an internal package manager. The pen tester removed the fake pezzi package, and Vendavo took ownership of the org in npm.

The problem is that this creates false critical alerts in product security scans containing the real pezzi package.