v0.3.15 — prismjs misleading remediation fix + SOFT collapse
SYNAPTIC Sentinel v0.3.15
🎯 prismjs misleading remediation fix (DG-115 A + DG-115.1 A G7). Closes the 🚨 prismjs Known Issue declared in v0.3.14 release notes. SCA findings whose vulnerable copy is a transitive nested-pinned dep (e.g. prismjs@1.27.0 nested under refractor@3.6.0) now receive an override directive (npm overrides / yarn resolutions / pnpm.overrides) — a top-level bump alone does NOT honor the parent's pin and the sidebar now surfaces this.
What changed
- DG-115 A —
overrideDirectivefor transitive nested-pinned SCA. Trivy v0.70.0 already exposesResult.Packages[]with the full dep graph +PkgIdentifier.UID1:1 matching; the normalizer now consumes it. Each Finding gainssca.dependencyContext { directness, pinnedBy, hasSiblingFixedCopy }. EachFindingGroupwith at least oneindirectfinding + known package manager + known fix version gainsremediation.overrideDirective { manager, packageName, versionRange, snippet, hasSiblingFixedCopy, pinnedBy[] }. The sidebar renders the directive as a dominant block above the children, with a Copy button (clipboard API +getSelection().selectAllChildrenfallback) and cites the pinner in the risk caveat. - DG-115.1 A G7 — STRONG / SOFT visual hierarchy (webview-only refinement). STRONG (
hasSiblingFixedCopy: true, e.g. prismjs) stays prominently expanded red. SOFT (hasSiblingFixedCopy: false, ~8 findings per scan: protobufjs / node-forge / fast-uri / uuid / etc.) is now collapsed by default inside a<details>with a one-liner summary"Transitive (via <pinnedBy[0]>) — plain bump usually works; override if it persists (<manager>)". The body (caveat + plain bump line + snippet + Copy + risk caveat) is revealed on expand. Data of the tomo is unchanged.
Known Issues retired
The 🚨 prismjs warning from v0.3.14 is retired. Override directives are now emitted for any transitive nested-pinned SCA finding.
Known Issues still open
- Parent/child SCA correlation (e.g.
@protobufjs/utf8finding listed as a separate group from its parentprotobufjs). Deferred — tracked asDG-future-SCA-dep-graph. - Reachability framework-level (config-gated CVEs like fastify
trustProxy). Deferred — the newsca.dependencyContext+sca.packageManagerfields are the data foundation for it. - Inconclusive-but-well-reasoned SAST taint verdicts — unchanged, success by design for the class of finding where the sink's implementation lives in another file.
Trivy DependsOn caveat (known data limit)
Trivy Result.Packages[*].DependsOn lists resolved dep versions, NOT the constraint ranges (^ vs ~ vs exact) of the pinner. SENTINEL cannot decide automatically whether a plain top-level bump satisfies the pinner's constraint; the STRONG / SOFT split uses hasSiblingFixedCopy (binary: is there a fixed copy top-level?) as a safe over-approximation.
Verification
- Empirical against the SYNAPTIC_SAAS web lockfile (
pnpm-lock.yamlwithreact-syntax-highlighter@15.6.6 → refractor@3.6.0 → prismjs@1.27.0chain +prismjs@1.30.0top-level). - Baseline-5 (step5.vsix) confirmed
overrideDirective+dependencyContextfor the prismjs case. - Baseline-5.1 (step5b.vsix) confirmed STRONG/SOFT visual hierarchy + tomo data byte-identical to step5.
pnpm verifyVERDE: 60 test files / 707 tests + manifest gate + activation gate (9 commands + 15 subscriptions).
Schema changes (additive, backward-compatible)
TrivyResultSchema:Type?: string,Packages?: TrivyPackage[].ScaMetadataSchema:packageManager?: string,dependencyContext?: DependencyContext.RemediationTargetSchema:overrideDirective?: OverrideDirective.- New dependency:
semverin@synaptic-sentinel/scouts.
Installation
vsce publish to the VS Code Marketplace is not part of this release — the Marketplace listing is on v0.3.3 and 12 GitHub-only releases (v0.3.4 → v0.3.15) accumulate user-side publishing operations. To install in VS Code:
```
code --install-extension synaptic-sentinel-0.3.15.vsix
```
…or use Install from VSIX... in the Extensions view.
Artifact
synaptic-sentinel-0.3.15.vsix— 1838 files / 3.19 MB / 3,346,724 bytes- SHA-256: `6e435c0b5a7ae6d43ef6b7a69b9911a00e2694edac92ce2cd42c6c75dd9e89b7`