While auditing the npm packages after a fresh Ghost install, npm tells me that there are 25 vulnerabilities (11 moderate, 14 high):

npm audit report

dot-prop <4.2.1
Severity: high
dot-prop Prototype Pollution vulnerability - https:// github. com/advisories/GHSA-ff7x-qrg7-qggm
fix available via npm audit fix --force
Will install standard-version@9.5.0, which is a breaking change
node_modules/dot-prop
compare-func <=1.3.4
Depends on vulnerable versions of dot-prop
node_modules/compare-func
conventional-changelog-angular 0.0.1 - 5.0.10
Depends on vulnerable versions of compare-func
node_modules/conventional-changelog-angular
conventional-changelog 1.0.0 - 2.0.3
Depends on vulnerable versions of conventional-changelog-angular
Depends on vulnerable versions of conventional-changelog-core
Depends on vulnerable versions of conventional-changelog-jshint
node_modules/conventional-changelog
standard-version <=8.0.0
Depends on vulnerable versions of conventional-changelog
Depends on vulnerable versions of yargs
node_modules/standard-version
conventional-changelog-jshint <=2.0.7
Depends on vulnerable versions of compare-func
node_modules/conventional-changelog-jshint
conventional-changelog-writer <=4.0.16
Depends on vulnerable versions of compare-func
Depends on vulnerable versions of meow
node_modules/conventional-changelog-writer
conventional-changelog-core 2.0.5 - 4.2.1
Depends on vulnerable versions of conventional-changelog-writer
Depends on vulnerable versions of conventional-commits-parser
Depends on vulnerable versions of git-raw-commits
Depends on vulnerable versions of git-semver-tags
node_modules/conventional-changelog-core

got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https:// github. com/advisories/GHSA-pfrx-2q88-qq97
fix available via npm audit fix --force
Will install got@12.3.1, which is a breaking change
node_modules/download/node_modules/got
node_modules/got
download >=4.0.0
Depends on vulnerable versions of got
node_modules/download
package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/latest-version/node_modules/package-json
latest-version 0.2.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/latest-version

mem <4.0.0
Severity: moderate
Denial of Service in mem - https:// github. com/advisories/GHSA-4xcv-9jjx-gfj3
fix available via npm audit fix --force
Will install standard-version@9.5.0, which is a breaking change
node_modules/mem
os-locale 2.0.0 - 3.0.0
Depends on vulnerable versions of mem
node_modules/os-locale
yargs 8.0.0-candidate.0 - 12.0.5
Depends on vulnerable versions of os-locale
Depends on vulnerable versions of yargs-parser
node_modules/standard-version/node_modules/yargs

moment <=2.29.3
Severity: high
Inefficient Regular Expression Complexity in moment - https:// github. com/advisories/GHSA-wc69-rhjr-hc9g
Path Traversal: ‘dir/…/…/filename’ in moment.locale - https:// github. com/advisories/GHSA-8hfj-j24r-96c4
fix available via npm audit fix --force
Will install moment@2.29.4, which is outside the stated dependency range
node_modules/moment

nanoid 3.0.0 - 3.1.30
Severity: moderate
Exposure of Sensitive Information to an Unauthorized Actor in nanoid - https:// github. com/advisories/GHSA-qrpm-p2h7-hrv2
fix available via npm audit fix --force
Will install mocha@10.0.0, which is a breaking change
node_modules/nanoid
mocha 8.2.0 - 9.1.4
Depends on vulnerable versions of nanoid
node_modules/mocha

trim-newlines <3.0.1
Severity: high
Uncontrolled Resource Consumption in trim-newlines - https:// github. com/advisories/GHSA-7p7h-4mm5-852v
fix available via npm audit fix --force
Will install standard-version@9.5.0, which is a breaking change
node_modules/conventional-recommended-bump/node_modules/trim-newlines
node_modules/get-pkg-repo/node_modules/trim-newlines
node_modules/trim-newlines
meow 3.4.0 - 5.0.0
Depends on vulnerable versions of trim-newlines
node_modules/conventional-recommended-bump/node_modules/meow
node_modules/get-pkg-repo/node_modules/meow
node_modules/meow
conventional-commits-parser 2.1.5 - 3.0.8
Depends on vulnerable versions of meow
node_modules/conventional-commits-parser
git-raw-commits 1.3.4 - 2.0.3
Depends on vulnerable versions of meow
node_modules/git-raw-commits
git-semver-tags 1.3.4 - 3.0.1
Depends on vulnerable versions of meow
node_modules/git-semver-tags

validator <13.7.0
Severity: moderate
Inefficient Regular Expression Complexity in validator.js - https:// github. com/advisories/GHSA-qgmg-gppg-76g5
fix available via npm audit fix --force
Will install validator@13.7.0, which is a breaking change
node_modules/validator

yargs-parser 6.0.0 - 13.1.1
Severity: moderate
yargs-parser Vulnerable to Prototype Pollution - https:// github. com/advisories/GHSA-p9pc-299p-vxgp
fix available via npm audit fix --force
Will install standard-version@9.5.0, which is a breaking change
node_modules/standard-version/node_modules/yargs-parser

25 vulnerabilities (11 moderate, 14 high)

To address issues that do not require attention, run:
npm audit fix

To address all issues (including breaking changes), run:
npm audit fix --force

Additionally, I had to create a package-lock.json with npm i --package-lock-only in /usr/lib/node_modules/ghost-cli to be able to audit.

Thanks for posting this. I am having this issue when I run the Ghost CLI update, with 6 errors (5 moderate, 1 critical) and I run the npm audit fix --force command and it shows 0 vulnerabilities after that. But then when I try to run sudo npm i -g ghost-cli@latest again, I have the same errors (6 - 5 moderate, 1 critical)

Not sure where to go with it.

Are there any plans to patch/upgrade some of these dependencies with security vulnerabilities?
These are showing as issues in my project because it depends on

gatsby-plugin-advanced-sitemap@2.1.0

Very good question. I posted this on the 11th of August and since then NO answer has been given by the developers.
Do they simply not care that their system uses and thereby has security vulnerabilities?
Are they too small to address them?
Then actually tell the community that so we can look for a solution ourselves.

Our team updates core packages regularly. The Gatsby plugin for advanced sitemaps is community maintained. Pull requests are always welcome.