Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Incorrect dependabot alerts when version in package-lock.json is outside affected range #9528

Closed
1 task done
silverwind opened this issue Apr 18, 2024 · 1 comment
Closed
1 task done
Labels
L: git:submodules Git submodules L: go:modules Golang modules L: javascript L: ruby:bundler RubyGems via bundler T: bug 🐞 Something isn't working

Comments

@silverwind
Copy link

silverwind commented Apr 18, 2024

Is there an existing issue for this?

  • I have searched the existing issues

Package ecosystem

npm

Package manager version

npm@10

Language version

node 20

Manifest location and content before the Dependabot update

https://github.com/go-gitea/gitea/blob/main/package-lock.json

dependabot.yml content

No response

Updated dependency

No response

What you expected to see, versus what you actually saw

No dependabot alert raised, but it raised multiples for GHSA-35jh-r3h4-6jhm like for example https://github.com/go-gitea/gitea/security/dependabot/64.

lodash@4.17.21 does not match the affected version range <= 4.5.0 and npm ls lodash also confirms there is no affected version in the file:

$ npm ls lodash
gitea@
├─┬ @stoplight/spectral-cli@6.11.1
│ ├─┬ @stoplight/json@3.21.0
│ │ └── lodash@4.17.21 deduped
│ ├─┬ @stoplight/spectral-core@1.18.3
│ │ └── lodash@4.17.21 deduped
│ ├─┬ @stoplight/spectral-formatters@1.3.0
│ │ └── lodash@4.17.21 deduped
│ ├─┬ @stoplight/spectral-ref-resolver@1.0.4
│ │ └─┬ @stoplight/json-ref-resolver@3.1.6
│ │   └── lodash@4.17.21 deduped
│ ├─┬ @stoplight/spectral-ruleset-bundler@1.5.2
│ │ └─┬ @stoplight/spectral-functions@1.7.2
│ │   └── lodash@4.17.21 deduped
│ ├─┬ @stoplight/spectral-rulesets@1.18.1
│ │ └── lodash@4.17.21 deduped
│ ├─┬ @stoplight/spectral-runtime@1.1.2
│ │ └── lodash@4.17.21 deduped
│ └── lodash@4.17.21
├─┬ eslint-plugin-vue-scoped-css@2.8.0
│ ├── lodash@4.17.21 deduped
│ └─┬ vue-eslint-parser@9.4.2
│   └── lodash@4.17.21 deduped
└─┬ mermaid@10.9.0
  └─┬ cytoscape@3.28.1
    └── lodash@4.17.21 deduped

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

No response

@silverwind silverwind added the T: bug 🐞 Something isn't working label Apr 18, 2024
@github-actions github-actions bot added L: git:submodules Git submodules L: go:modules Golang modules L: javascript L: ruby:bundler RubyGems via bundler labels Apr 18, 2024
@silverwind silverwind changed the title Incorrect dependabot alerts for lodash (GHSA-35jh-r3h4-6jhm) Incorrect dependabot alerts when version in package-lock.json is outside affected range Apr 18, 2024
@silverwind
Copy link
Author

silverwind commented Apr 18, 2024

Ah I see it is actually a correct alert, the affected package is a subpackage of lodash:

$ npm ls lodash.template
gitea@
└─┬ license-checker-webpack-plugin@0.2.1
  └── lodash.template@4.5.0

Sorry, I'll be closing this.

@silverwind silverwind closed this as not planned Won't fix, can't repro, duplicate, stale Apr 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
L: git:submodules Git submodules L: go:modules Golang modules L: javascript L: ruby:bundler RubyGems via bundler T: bug 🐞 Something isn't working
Projects
Status: Done
Development

No branches or pull requests

1 participant