Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. ItĀ collects links to all the places you might be looking at while hunting down a tough bug.
And, if youāre still stuck at the end, weāre happy to hop on a call to see how we can help out.
Snyk vulnerability range for unfixed vulnerabilities
See original GitHub issueSummary
Hi š
My name is Amotz, working for Snyk.
I wanted to update you that we are revisiting our current method for providing ranges for unfixed vulnerabilities, as part of a standardization effort we are doing in this area.
See https://github.com/GoogleChrome/lighthouse/issues/8748 for context.
In cases of unfixed vulnerabilities, weād like to provide * as the range, and, if necessary, have it resolved on LH side to a specific version range (e.g. <=x.y.z), instead of resolving it on our side.
We still donāt have clear timeline for this, but wanted to give you heads up and start a discussion.
Issue Analytics
- State:
- Created a year ago
- Comments:5
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
#9308 (more direct link to context)
We wouldnāt be able to confidently determine the correct ālatest versionā that snyk is considering ourselves in any post process stepā¦ (assumption: there is significant delay between the calculation of these constraints, the opening of PRs, and any post processing we might do as a result). Maybe if we are provided a timestamp for when a synk database was made we could use
npm view <package> timeto match to the correct verison?Any way ālatest package version as of this snyk db snapshotā could be kept as extra data in a new field?
This is something we could do. We can add another metadata file to the PR, and have something like this: