fix(vulnerabilities): do not force exact patch version in OSV alerts #29666
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes
OSV vulnerability alerts may suggest a particular patch version that could be retracted, currently resulting in no PR being created at all. This change relaxes
==
to>=
, so that the first available version is picked.This PR also removes an extra condition for OSV that caused advisories with
last_affected
field set to suggest the newest version, rather than the minimal patched version. Advisories usually populate thefixed
version, not thelast_affected
field, so this was infrequently used. Now this the change to>=
e.g., for pypi, the security fix PR would suggest version 2.32.3 to address CVE-2024-35195 inrequests <= 2.32.0
, whereas the minimal patched version is 2.32.2 (see test repo).Context
Documentation (please check one with an [x])
How I've tested my work (please select one)
I have verified these changes via: