Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[npm] Only shortcut search when non-vuln version of advisory dep is found #5796

Merged
merged 1 commit into from
Sep 27, 2022
Merged

[npm] Only shortcut search when non-vuln version of advisory dep is found #5796

merged 1 commit into from
Sep 27, 2022

Conversation

mctofu
Copy link
Contributor

@mctofu mctofu commented Sep 26, 2022
edited

There can be other deps marked as vulnerable that aren't the advisory dep (locking parents) and we can't be sure that a non-vulnerable version of those deps doesn't still have a vulnerable version of the advisory dep as a child.

For ex for an advisory on C:

A -> B (vuln) -> C (vuln)
| -> D -> B(not vuln) -> C (vuln)

I haven't found real examples of this occurring yet but this is worth fixing since it could lead to PRs that don't fully fix an alert.

@mctofu mctofu marked this pull request as ready for review September 26, 2022 23:01
@mctofu mctofu requested a review from a team as a code owner September 26, 2022 23:01
bdragon
bdragon approved these changes Sep 26, 2022
View reviewed changes
Copy link
Member

@bdragon bdragon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Took me a second to wrap my brain around this, but makes sense 👍

@mctofu
Only shortcut search when non-vuln version of advisory dep is found
4556f50 
There can be other deps marked as vulnerable that aren't the
advisory dep (locking parents) and we can't be sure that a
non-vulnerable version of those deps doesn't still have a
vulnerable version of the advisory dep as a child.
@mctofu mctofu merged commit 086a2e0 into main Sep 27, 2022
@mctofu mctofu deleted the mctofu/vuln-shortcut branch September 27, 2022 01:10
@pavera pavera mentioned this pull request Oct 31, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bdragon bdragon bdragon approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@mctofu @bdragon