minder icon indicating copy to clipboard operation
minder copied to clipboard
verified publisher icon stacklok

Bad OSV PR suggestions

Open evankanderson opened this issue 1 year ago • 1 comments

Describe the issue

https://github.com/stacklok/minder/pull/4440/files/690fa2df0b83a36857618fdeca86f897b2821e9c#r1753513887

-       "version": "0.18.0",
-       "resolved": "https://registry.npmjs.org/send/-/send-0.18.0.tgz",
-       "integrity": "sha512-qqWzuOjSFOuqPjFe4NOsMLafToQQwBSOEpS+FwEt3A2V3vKubTquT3vmLTQpFgMXp8AlFWFuP1qKaJZOtPpVXg==",
-       "dependencies": {
-         "debug": "2.6.9",
-         "depd": "2.0.0",
+     "node_modules/serve-static/node_modules/send": {
+       "version": "0.18.0",
+ 0.18.0
+       "version": "0.19.0",
+       "resolved": "https://registry.npmjs.org/send/-/send-0.19.0.tgz",
+       "integrity": "sha512-dW41u5VfLXu8SJh5bwRmyYUbAoSB3c9uQh6L8h/KtsFREPWpbX1lrljJo186Jc4nmci/sGUZ9a0a0J2zgfq2hw==",

This diff is nonsense -- it's not even valid JSON! Meanwhile, the original PR actually did upgrade node_modules/send to 0.19.0; this was a sub-module dependency of serve-static which got picked up.

To Reproduce

See above

What version are you using?

No response

evankanderson avatar Sep 11 '24 20:09 evankanderson

If we replace this with a Rego-only rule, we'll have a different approach.

evankanderson avatar Jan 28 '25 14:01 evankanderson