Hello, I’ve reached out to a Themeforest theme developer about excessive dependency vulnerabilities. They have not responded and their theme has produced over 27 vulnerabilities with nearly 30% as high/critical severity, reported by our repo in GitHub. We are unable to update these packages as the
composer.json file is not included in the theme.
Especially this security issue: NVD - CVE-2022-29167
Others here: screencapture-github-sqm-raven-security-dependabot-2022-06-02-08-03-35 — ImgBB
Does Envato require theme developers to comply with regular security updates and assurances? Does Envato have a set of security standards in place? If so, this theme has not updated their dependency packages for more than 2 years and potentially exposing hundreds of your customers to costly attacks.
What steps must I take now? We are heavily dependent on the theme which works in tandem with other plugins, this is an education site with many enrolled students.