Why trivy scanner found vulnerabilities for dependencies that do not exist in my project?

Question

I use the trivy GitHub action (aquasecurity/trivy-action@master) to scan my nestjs project, but keep getting the below vulnerabilities even though I have not used those packages directly and indirectly (no trace of them in my yarn.lock). why would trivy report these vulnerabilities?

┌─────────────────────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│               Library               │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                           Title                            │
├─────────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ dot-object (package.json)           │ CVE-2019-10793 │ MEDIUM   │ 1.1.0             │ 2.1.3         │ Prototype Pollution in dot-object                          │
│                                     │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-10793                 │
├─────────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ http-cache-semantics (package.json) │ CVE-2022-25881 │ HIGH     │ 4.1.0             │ 4.1.1         │ http-cache-semantics: Regular Expression Denial of Service │
│                                     │                │          │                   │               │ (ReDoS) vulnerability                                      │
│                                     │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-25881                 │
└─────────────────────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘