open 0.0.5 is vulnerable https://www.npmjs.com/advisories/663 - fixed in any version >0.0.5

Sure, though note bluebird has no dependencies and this is just a devDependency

For some reason Twistlock (CVE scanner from Palo Alto Networks) is alerting this CVE on our API image, possibly it's coming from some other dependency - will re-check.
/cc @samblackk

devDependency, closing.

Found this:

"The 'dependencies' and 'devDependencies' sections from package.json file may contain special metadata chars (~ and ^), which are picked up by Twistlock as part of the package version, causing these false positives. If using twistcli, these fields are evaluated when the -include-js-dependencies flag is set. These are also evaluated for images when the "Scan for vulnerable javascript package dependencies within images and functions" is toggled on." - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNXaCAO