WebGTK vulnerable references

I’m running a static analysis tool against an application and it reports that CodeMirror is referencing WebKitGTK+ 2.0.24 (via node modules) in the following files:

There are a number of CVEs being reported as associated, including CVE-2018-11646, as well as several which have not yet been disclosed. Looking in the dependencies, I don’t see any direct references to WebKitGTK+ but I do see that they reference the codemirror.js file under the node module codemirror/lib/codemirror.js which has references to WebKitGTK. Is CodeMirror actually referencing WebGTK+ 2.0.24, and if so is the team aware of the aforementioned CVE / other undisclosed vulnerabilities?

This is a browser JavaScript project, and as such it can’t load C++ libraries.

Thanks for clarifying marijn!