deps(snyk): update snyk snapshot#11144
Conversation
| {"id":"SNYK-JS-DOJO-72305","severity":"medium","semver":{"vulnerable":["<1.14"]}}, | ||
| {"id":"npm:dojo:20180818","severity":"medium","semver":{"vulnerable":["<1.10.10",">=1.11.0 <1.11.6",">=1.12.0 <1.12.4",">=1.13.0 <1.13.1"]}}, | ||
| {"id":"npm:dojo:20160523","severity":"medium","semver":{"vulnerable":["<1.1.0"]}}, | ||
| {"id":"npm:dojo:20160523","severity":"medium","semver":{"vulnerable":["<0.0.0"]}}, |
There was a problem hiding this comment.
Now a <0.0.0 along with the noop loadsh change? what is up with you snyk-bot
There was a problem hiding this comment.
ya shouldnt this be deleted?
There was a problem hiding this comment.
hey @aviadatsnyk, these seem like potential mistakes?
There was a problem hiding this comment.
bump, @aviadatsnyk we got another PR of these noop updates today #11179
There was a problem hiding this comment.
Sorry for missing this, @patrickhulce . Usually @lirantal is better than me for these things :)
This is our way of saying it was deemed not a vulnerability, while still letting you know it existed once, instead of just pulling the carpet from under your feet.. This is the equivalent of the empty range, and so no user will ever have this vulnerability "found" in their scan. I'm not sure it makes sense for your usecase, but this is how we do it to support other ones.
Is this a problem?
There was a problem hiding this comment.
ah gotcha, thanks for the explanations @aviadatsnyk!
These changes all make sense from the perspective of a shared database 👍
<0.0.0 we can filter out on our end in https://github.com/GoogleChrome/lighthouse/blob/master/lighthouse-core/scripts/cleanup-vuln-snapshot.js so that one's not a problem at all.
From the Lighthouse perspective it's unfortunate to invest review attention on PRs with no user-impact, so the <4.17.16 type of change ideally wouldn't trigger the bot and just be lumped in with the next real change. Not sure how we could enforce that though, so I'm fine with this.
| ], | ||
| "lodash":[ | ||
| {"id":"SNYK-JS-LODASH-567746","severity":"medium","semver":{"vulnerable":["<=4.17.15"]}}, | ||
| {"id":"SNYK-JS-LODASH-567746","severity":"medium","semver":{"vulnerable":["<4.17.16"]}}, |
There was a problem hiding this comment.
noop ???? there's no versions between these two https://www.npmjs.com/package/lodash
There was a problem hiding this comment.
Hey @connorjclark - there indeed is no version there, but this has the added bonus of telling a user that a fixed version exists, and even stating it. The old variant would not have told you which version to upgrade to (the next version might have been 5.0.0 for all the the user knows).
|
closing in favor of https://github.com/GoogleChrome/lighthouse/pull/11223/files |
Why this PR?
a weekly update of the vulnerabilities snapshot for lighthouse