Vulnerability checking on Maven packages

Currently running Version 2025.17 (Build 20) of ProGet.

Do we have something configured wrong, or does the vulnerability checking not work well for maven packages and the weird version sorting that these use?

For example, if I look at version 2.21.0 for com.fasterxml.jackson.core:jackson-databind, it shows a huge list of vulnerabilities for this version, but the vulnerability details show that these vulnerabilities are for versions that are older than 2.21.0.

2.21.0 doesn't seem to have any vulnerabilities itself, but due to the version sorting it seems to be getting associated with lots of old vulnerabilities.

Is there any way for us to resolve this issue, or is the vulnerability checking basically unusable for these maven packages?

When promoting files between pypi feeds, is the option to promote a single file actually supported?

The help documentation for the pgutil command "packages promote" provides the following example:

pgutil packages promote --feed=private-pypi --to-feed=public-pypi --package=Django --version=5.0.6 --filename=Django-5.0.6.tar.gz

However, when including the filename in a call, it responds that filename was an unexpected argument.