fix(scanner): show the OSV range that matched the queried version, not ranges[0]#84
Merged
Merged
Conversation
…t ranges[0] extractVulnRangeInfo now receives the resolved dep version and selects the affected range whose [introduced, fixed) interval contains it (semver-coerced), instead of always returning the first range. On an ambiguous or non-coercible version it falls back to all affected ranges joined by a comma. Single-range advisories are unchanged. Adds semver as a direct dependency and 7 unit tests. Refs: agent-tasks 6db0ae34 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
extractVulnRangeInfo()now returns the OSV affected range that actually contains the resolved dependency version, instead of always returning the first range. Multi-range advisories previously displayed a misleadingvulnerableRangeon the dashboard.Why
CVE sweep 2026-06-21: glob advisory GHSA-5j98-mcp5-4vw2 has two npm ranges (
[11.0.0,11.1.0)and[10.2.0,10.5.0)) split across twoaffectedentries. A dep resolved to 10.3.0 matched via the 10.x range, but depsight showed>=11.0.0 <11.1.0. Cosmetic (no effect on flagging) but misleading on a security dashboard.How
[introduced, fixed)interval contains the version (semver-coerced). On ambiguity or a non-coercible version it falls back to all candidate ranges joined by a comma. Single-range advisories are unchanged.semveras a direct dependency (was already transitive).Tests
Follow-up
last_affectedhandling tracked in a separate task (pre-existing, out of scope here).Refs: agent-tasks 6db0ae34