* Initial plan
* Initial plan for adding patched versions to vulnerability summary
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>
* Add patched version column to vulnerability summary table
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>
* Optimize API calls to use Set and Promise.all for better performance
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>
* Remove type assertions and optimize ecosystem lookups with normalization
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>
* Extract patch version type checking into helper function for clarity
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>
* Support multiple version ranges per package in advisory lookup
Handle scenarios where the same package has multiple vulnerable version ranges
with different patched versions (e.g., GHSA-gwq6-fmvp-qp68 with .NET packages).
- Store all vulnerability entries with version ranges, not just one per ecosystem
- Implement version range matching to select correct patch version
- Match package by ecosystem, name, AND version range
- Add comprehensive test for multi-range scenario
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>
* Fix first_patched_version extraction to handle string format
The GitHub Advisory API returns first_patched_version as a simple string
(e.g., "112.0.0"), not an object with an identifier field. Updated
extractPatchVersionId to handle string format primarily while maintaining
backward compatibility with object format.
- Fixed extractPatchVersionId to check for string first
- Updated test mocks to match actual API response format
- Added specific test for RestSharp GHSA-4rr6-2v9v-wcpc case
- Verified with actual API responses from multiple advisories
Fixes issue where patched versions were showing as "N/A" instead of
the actual version number.
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>
* Rebuild dist with patched version fix
The previous fix to extractPatchVersionId wasn't deployed because the dist/
folder (compiled JavaScript) wasn't rebuilt. This commit rebuilds and packages
the action with npm run build && npm run package to include the fix.
Changes in dist/:
- Updated extractPatchVersionId to handle string format first
- Includes all async vulnerability summary logic with API calls
- Properly extracts patched versions from GitHub Advisory API
This should resolve the issue where patched versions showed as "N/A" in
actual GitHub Actions runs.
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>
* Add comprehensive debug logging for patch version lookup
Added detailed debug logging to help troubleshoot patch version issues:
- Log when fetching advisory data from API
- Log number of vulnerability entries found
- Log each patch info entry added with details
- Log when no patch version is found
- Log during lookup phase with package details
- Log when patch version is found vs not found
- Log available entries when no match is found
This will make it much easier to diagnose issues in GitHub Actions debug mode.
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>
We don't really need to prevent changes to the dist directory
being committed. If someone does push a change to the dist directory,
they'd be able to test with that. Plus the files will be regenerated
on main, so that we know the final dist files are correct.
This also fixes up some paths in the ci-update-dist.yml workflow
which generates the dist files on main.
This adapts an approach taken by the Gradle actions in order to
generate the dist files on the main branch rather than having
every contributor need to generate them. (In fact, people will no
longer be able to submit PRs with the dist files updated). This
change is important because the current approach means that
people encounter merge conflicts all the time and will need to
keep regenerating the dist files in order to land their change.