I ran a dependency check on https://github.com/agnitas-org/openemm/tree/master/frontend/lib, because I found some old versions there. These are the results:
Dependencies Scanned: 137 (110 unique)
Vulnerable Dependencies: 16
Vulnerabilities Found: 83

Small excerpt:

There are a lot of critical ones including authentication bypasses. Are these all false-positives?

Not all of these are false positives. But, for example, we fixed the known Struts 1 vulnerabilities ourselves in the code because of its EOL. Some of the exploits do not work in the OpenEMM environment. Other issues will be addressed since we plan to replace libraries with our switch to Java 11, anyway.
Right now we are in the process of discussion how to communicate these issues in a timely and transparent way.
BTW, we do penetration tests on the deployed software about once a year by professional pen testers.

We have updated some 3rd party components in OpenEMM 20.04 and will continue to do so. We implemented an internal process to analyze and to evaluate the results of the OWASP dependency check for Java and Javascript.