deps(snyk): update snyk snapshot #9793
Conversation
| {"id":"npm:jquery:20150627","severity":"medium","semver":{"vulnerable":["<1.12.2",">=1.12.3 <2.2.2",">=2.2.3 <3.0.0"]}}, | ||
| {"id":"npm:jquery:20140902","severity":"medium","semver":{"vulnerable":[">=1.4.2 <1.6.2"]}}, | ||
| {"id":"npm:jquery:20120206","severity":"medium","semver":{"vulnerable":[">=1.7.1 <1.9.0"]}}, | ||
| {"id":"npm:jquery:20110606","severity":"medium","semver":{"vulnerable":["<1.6.3"]}} | ||
| ], | ||
| "jquery-mobile":[ | ||
| {"id":"SNYK-JS-JQUERYMOBILE-174599","severity":"medium","semver":{"vulnerable":["<=1.5.0-alpha.1"]}}, |
There was a problem hiding this comment.
@patrickhulce - does this satisfy #9779 (comment) ?
There was a problem hiding this comment.
@patrickhulce - does this satisfy #9779 (comment) ?
jquery-mobile is an interesting test of this rule. No release in two years means probably no release any time soon, but still looks like the right thing for Lighthouse to do (see #8409 (comment) for anyone new to this thread).
There was a problem hiding this comment.
yep looks like exactly what we want thanks!
| {"id":"npm:jquery:20150627","severity":"medium","semver":{"vulnerable":["<1.12.2",">=1.12.3 <2.2.2",">=2.2.3 <3.0.0"]}}, | ||
| {"id":"npm:jquery:20140902","severity":"medium","semver":{"vulnerable":[">=1.4.2 <1.6.2"]}}, | ||
| {"id":"npm:jquery:20120206","severity":"medium","semver":{"vulnerable":[">=1.7.1 <1.9.0"]}}, | ||
| {"id":"npm:jquery:20110606","severity":"medium","semver":{"vulnerable":["<1.6.3"]}} | ||
| ], | ||
| "jquery-mobile":[ | ||
| {"id":"SNYK-JS-JQUERYMOBILE-174599","severity":"medium","semver":{"vulnerable":["<=1.5.0-alpha.1"]}}, |
There was a problem hiding this comment.
@patrickhulce - does this satisfy #9779 (comment) ?
jquery-mobile is an interesting test of this rule. No release in two years means probably no release any time soon, but still looks like the right thing for Lighthouse to do (see #8409 (comment) for anyone new to this thread).
Then it means this strategy will also adequately cover it :) |
| {"id":"npm:jquery:20150627","severity":"medium","semver":{"vulnerable":["<1.12.2",">=1.12.3 <2.2.2",">=2.2.3 <3.0.0"]}}, | ||
| {"id":"npm:jquery:20140902","severity":"medium","semver":{"vulnerable":[">=1.4.2 <1.6.2"]}}, | ||
| {"id":"npm:jquery:20120206","severity":"medium","semver":{"vulnerable":[">=1.7.1 <1.9.0"]}}, | ||
| {"id":"npm:jquery:20110606","severity":"medium","semver":{"vulnerable":["<1.6.3"]}} | ||
| ], | ||
| "jquery-mobile":[ | ||
| {"id":"SNYK-JS-JQUERYMOBILE-174599","severity":"medium","semver":{"vulnerable":["<=1.5.0-alpha.1"]}}, |
There was a problem hiding this comment.
yep looks like exactly what we want thanks!
my point was that different tools like github alerts, npm, etc as mentioned in #8409 (comment) have a bigger responsibility to warn the user to stop using that library altogether, while Lighthouse should still operate on the criteria in the comment in spite of the fact that the |
|
I know, and I agree! I was just saying the fact that a new release is very unlikely to occur also means that the only downside of this strategy is very unlikely to occur as well so we're like double-safe :) (i.e. it's very unlikely that we ever have a false negative because new versions aren't being published) |
Why this PR?
a weekly update of the vulnerabilities snapshot for lighthouse