Re: Need some advice addressing "unfixable" publicly known vulnerabilities
Unfortunately I don't have a really good answer for your problem, but I
thought it might be interesting that I looked into a very similar issue
lately, which is bundled jquery.
Plenty of applications bundle either jquery 1 or jquery 2, including
major applications like wordpress. They are unsupported, but jquery 3
introduces breaking changes and thus updates aren't easy, if you have a
vast plugin ecosystem like wordpress then it becomes almost impossible.
There are a couple of obscure CVEs in these versions that from my lay
understanding matter only in very specific circumstances. But they are
there and tools may flag them. I'm actually developing a security tool
myself that is somewhat affected by this (freewvs, optional -3
parameter ), where I don't really know how to handle this best.
An easy way out would be if jquery would provide security-only-updates
for their old branches, but they don't want to do that  and also it
seems one of the issues can't be fixed without breaking things.