Skip to content

chore: fix UFM transitive upgrades being marked as directly upgradable#6717

Merged
CatalinSnyk merged 1 commit intomainfrom
chore/CLI-1375_ufm_remediation_for_direct_dependencies
Apr 17, 2026
Merged

chore: fix UFM transitive upgrades being marked as directly upgradable#6717
CatalinSnyk merged 1 commit intomainfrom
chore/CLI-1375_ufm_remediation_for_direct_dependencies

Conversation

@CatalinSnyk
Copy link
Copy Markdown
Contributor

@CatalinSnyk CatalinSnyk commented Apr 9, 2026
edited
Loading

Pull Request Submission Checklist

  • Follows CONTRIBUTING guidelines
  • Commit messages
    are release-note ready, emphasizing
    what was changed, not how.
  • Includes detailed description of changes
  • Contains risk assessment (Low | Medium | High)
  • Highlights breaking API changes (if applicable)
  • Links to automated tests covering new functionality
  • Includes manual testing instructions (if necessary)
  • Updates relevant GitBook documentation (PR link: ___)
  • Includes product update to be announced in the next stable release notes

What does this PR do?

In certain cases the Remediation Summary from the UFM Presenter would treat transitive dependency upgrades as directly upgradable. This would results in incorrect upgrade advice (e.g. Upgrade from x@1.2.3 to x@1.2.3 - since the actual upgrade would be inside for a nested dependency).

Where should the reviewer start?

How should this be manually tested?

  • Running an OSS against the CLI repository with --reachability enabled should show some different results in terms of issues reported as directly upgradable. The changes should also align more the UFM remediation output to the legacy CLI output (can be teste with OSS scans with/without reachability enabled).

What's the product update that needs to be communicated to CLI users?

None.

@snyk-io
Copy link
Copy Markdown

snyk-io bot commented Apr 9, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@CatalinSnyk CatalinSnyk force-pushed the chore/CLI-1375_ufm_remediation_for_direct_dependencies branch from 35a1d52 to c9239cd Compare April 17, 2026 11:33
@CatalinSnyk CatalinSnyk force-pushed the chore/CLI-1375_ufm_remediation_for_direct_dependencies branch from c9239cd to 3ee408b Compare April 17, 2026 13:38
@CatalinSnyk CatalinSnyk marked this pull request as ready for review April 17, 2026 13:39
@CatalinSnyk CatalinSnyk requested review from a team as code owners April 17, 2026 13:39
@snyk-pr-review-bot
Copy link
Copy Markdown

snyk-pr-review-bot bot commented Apr 17, 2026

PR Reviewer Guide 🔍

🧪 No relevant tests
🔒 No security concerns identified
⚡ No major issues detected
📚 Repository Context Analyzed

This review considered 3 relevant code sections from 2 files (average relevance: 0.83)

@CatalinSnyk CatalinSnyk enabled auto-merge April 17, 2026 13:42
@CatalinSnyk CatalinSnyk merged commit 1edc7c9 into main Apr 17, 2026
9 checks passed
@CatalinSnyk CatalinSnyk deleted the chore/CLI-1375_ufm_remediation_for_direct_dependencies branch April 17, 2026 14:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@PeterSchafer PeterSchafer PeterSchafer approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@CatalinSnyk @PeterSchafer