vscode-github-actions icon indicating copy to clipboard operation
vscode-github-actions copied to clipboard

Published 20 hours ago verified publisher icon github

Incorrect version in package-lock.json triggers false positive for critical security vulnerability

Open 0xg0nz0 opened this issue 7 months ago • 0 comments

In ~/.vscode-server/extensions/github.vscode-github-actions-0.26.3/script/workspace/package-lock.json:

    "vscode-github-actions": {
      "version": "0.25.6",

So it looks like the declared version in the lock file (0.25.6) is older than the package version (0.26.3).

This in turn gets flagged in grype:

vscode-github-actions  0.25.6                                                                    npm        GHSA-wvmr-x489-hcpj  Critical

Which is quite the false alarm, given the severity of that particular issue:

https://github.com/advisories/GHSA-wvmr-x489-hcpj

0xg0nz0 avatar Jul 03 '24 11:07 0xg0nz0