well-known doesn't equal universally known; some folks just don't do much work with nodejs and aren't cybersecurity generalists who read CVEs for breakfast, so maybe consider linking to one of the writeups.

I gather it's impossible to edit the mean post, so here's one relatively recent article that seems to be from the second wave of coverage.