greenkeeper icon indicating copy to clipboard operation
greenkeeper copied to clipboard

Published 20 hours ago verified publisher icon greenkeeperio

Issue a PR when a version update clears a NSP/SNYK Advisory

Open AccaliaDeElementia opened this issue 8 years ago • 1 comments

We use Greenkeeper on several projects and have noticed that several PRs that we would have liked greenkeeper to make were not made because the version update was within the range specified in our package.json for the dependency.

Specifically the PRs we would have liked to get are ones that would have cleared a NSP/SNYK advisory (either direct or nested)

In example:

[email protected] has a nested SNYK advisory due to the nested dependency on [email protected] which has a vulnerability where excessively large messages can cause a Denial of Service (as seen below in our bithound.io report)

image

This advisory would have been cleared by updating to the recently released [email protected], so we would like it if greenkeeper could detect this state and issue the PR to remove a security vulnerability from dependant projects that use greenkeeper.

Is this a feature that could be implemented?

AccaliaDeElementia avatar Oct 07 '16 12:10 AccaliaDeElementia

Hey @AccaliaDeElementia,

thanks for the very thorough explanation. This sounds really interesting and we hope we can develop such a feature in the future.

Thanks for the feedback, Stephan

boennemann avatar Oct 07 '16 21:10 boennemann