Closed
Description
I have noticed recently the npm vulnerability affected ranges types changed from SEMVER to ECOSYSTEM but the way the impacted versions are described are described as if SEMVER using the introduced and fixed and no versions list is defined which is what the spec suggest should be done.
i am looking at the spec here https://ossf.github.io/osv-schema/#affectedrangestype-field
Any reason why this has changed as it did used to be correct ?
An example is GHSA-mf22-92pm-m8p8
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@awsui/components-react"
},
"ranges": [
{
"type": "ECOSYSTEM", <= Should this be SEMVER ? As events below are in semver format?
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.367"
}
]
}
]
}
],
Metadata
Metadata
Assignees
Labels
No labels