When viewing vulnerabilities for a particular buildpack, you may see old CVEs that still show as Affected and a Status of No Fix Yet.

Buildpack CVE listings include vulnerabilities in all versions of the Buildpack that are included in the package, including very old ones, even if those versions are not actively in use by the applications.

No fix or ETA as of yet. R&D is working on a feature that will enable toggling between "everything that's in the Buildpack" and "show me only the Buildpack components I'm actually using". This KB will be updated once this feature is released.