You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
When the lock file contains multiple versions of the same library, and at least one version is vulnerable - the tool detects the library, but returns as output the last version written in the file.
The issue was found when trying to run the tool on the https://github.com/nrwl/nx repo.
Version of dependency-check used
The problem occurs using version 6.5.0 of the cli
To Reproduce
Steps to reproduce the behavior: Real life scenario:
remove the existing yarn.lock file and create a package-lock.json file instead
run dependency-check cli
in the report, we see only version 6.0.1 of ansi-regex library although this version has no vulnerability.
In the lock file, we may see lots of occurrences of ansi-regex with different versions (some vulnerable and some not).
** when running on the existing yarn.lock file, the tool reports about version 2.0.1 (also has no vulnerability), and it's the first in the file
Smaller example:
create a node project with the following package.json file
in the report, we see only version 6.0.1 of ansi-regex library although this version has no vulnerability.
In the lock file, we may see lots of occurrences of ansi-regex with different versions (some vulnerable and some not).
Expected behavior
Report only the ansi-regex versions with vulnerability
The text was updated successfully, but these errors were encountered:
Describe the bug
When the lock file contains multiple versions of the same library, and at least one version is vulnerable - the tool detects the library, but returns as output the last version written in the file.
The issue was found when trying to run the tool on the https://github.com/nrwl/nx repo.
Version of dependency-check used
The problem occurs using version 6.5.0 of the cli
To Reproduce
Steps to reproduce the behavior:
Real life scenario:
nx
repo (https://github.com/nrwl/nx)yarn.lock
file and create apackage-lock.json
file insteadansi-regex
library although this version has no vulnerability.In the lock file, we may see lots of occurrences of
ansi-regex
with different versions (some vulnerable and some not).** when running on the existing
yarn.lock
file, the tool reports about version 2.0.1 (also has no vulnerability), and it's the first in the fileSmaller example:
package.json
filenpm i
ansi-regex
library although this version has no vulnerability.In the lock file, we may see lots of occurrences of
ansi-regex
with different versions (some vulnerable and some not).Expected behavior
Report only the
ansi-regex
versions with vulnerabilityThe text was updated successfully, but these errors were encountered: