To Include @scullyio/ng-lib in GHSA-r96p-v3cr-gfv8

[shivakumar-loginsoft]

The advisory for GHSA-r96p-v3cr-gfv8 lists the vulnerable package as @scullyio/scully. However as per fix commit However, according to the fix commit, the vulnerability is specific to the TransferStateService which is a part of ng-lib package.

Could you please review and update the advisory accordingly? Thank you.

[yhidad31]

Hi @shivakumar-loginsoft, please provide a working link for the fix commit so we can verify the change. Thank you.

[Fidget-Grep]

Hi @yhidad31 , Shiva and I actually worked together on analyzing this vuln and I think I can help out. The fix commit (as linked in the original advisory) appears to be this.
Since ng-lib appears to be a sub-library of Scully, and (more importantly) is often imported on its own, I agree that we should add it to the vulnerable package list for completeness.