fix: patched version display for advisories with non-strict semver ranges (e.g. Maven beta versions)#1076
Merged
ahpook merged 1 commit intoMay 8, 2026
Conversation
…nges (e.g. Maven beta versions) When showing patched versions in the vulnerability summary, advisories with version ranges containing non-strict semver components — such as Maven's >= 2.0-beta9, < 2.25.3 — would display "N/A" instead of the correct patched version. The fix adds a coercion step in fail-open mode that rewrites invalid version components within the range string to their nearest valid semver equivalents (e.g. 2.0-beta9 → 2.0.0) before retrying validation, allowing the patched version lookup to succeed without affecting the fail-closed vulnerability detection path. Adds test case for maven and another for golang for extra coverage
Contributor
There was a problem hiding this comment.
Pull request overview
Fixes patched-version display in the vulnerability summary when advisories use non-strict semver ranges (notably Maven-style bounds like 2.0-beta9), by adding a fail-open range coercion path in versionInRange() and expanding regression coverage in summary tests.
Changes:
- Add fail-open coercion of invalid version components inside semver range strings to improve patched-version matching.
- Refactor
versionInRange()range validation to allow retry after coercion. - Add regression tests covering a Maven non-strict range advisory and a Go pseudo-version-style advisory.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
src/summary.ts |
Adds fail-open range-string coercion when semver.validRange() rejects real-world advisory bounds. |
__tests__/summary.test.ts |
Adds regression tests ensuring patched versions are shown (not N/A) for Maven/non-strict ranges and a Go pseudo-version scenario. |
felickz
reviewed
Apr 27, 2026
Contributor
felickz
left a comment
There was a problem hiding this comment.
The only edge case here would be
ex: Advisory range is >= 2.0-beta9, < 2.25.3, patched version is 2.25.3.
| User's version | Intended range (>= 2.0.0-beta9) |
Coerced range (>= 2.0.0) |
Without PR fix (invalid range) |
|---|---|---|---|
2.12.4 |
match → shows 2.25.3 |
match → shows 2.25.3 |
N/A |
2.0.0 |
match → shows 2.25.3 |
match → shows 2.25.3 |
N/A |
2.0.0-beta10 |
match → shows 2.25.3 |
no match → N/A | N/A |
The edge case: a user on 2.0.0-beta10 is in the vulnerable range (it's after beta9) but 2.0.0-beta10 < 2.0.0 in semver ordering, so it fails the coerced >= 2.0.0 check. They'd see "N/A" instead of 2.25.3.
But that user already sees "N/A" today without the fix (the range is completely invalid). So the PR doesn't regress anything; it just doesn't fix this narrow sub-case. Though the only way you'd get a valid semver prerelease that doesn't match the coerced range is if the ecosystem used semver-style prereleases... but then the range would also be valid semver and no coercion would happen in the first place.
ahpook
approved these changes
May 8, 2026
Contributor
ahpook
left a comment
There was a problem hiding this comment.
Thanks for the fix @tspascoal
mergify Bot
added a commit
to ArcadeData/arcadedb
that referenced
this pull request
May 10, 2026
…0 [skip ci] Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 4.9.0 to 5.0.0. Release notes *Sourced from [actions/dependency-review-action's releases](https://github.com/actions/dependency-review-action/releases).* > 5.0.0 > ----- > > This is a new major version of the Dependency Review Action which updates the runtime to node24. This requires a minimum Actions Runner version [v2.327.1](https://github.com/actions/runner/releases/tag/v2.327.1) to run. > > What's Changed > -------------- > > * Add .github/copilot-instructions.md for Copilot coding agent by [`@ahpook`](https://github.com/ahpook) in [actions/dependency-review-action#1067](https://redirect.github.com/actions/dependency-review-action/pull/1067) > * Update Node.js runtime from 20 to 24 by [`@scottschreckengaust`](https://github.com/scottschreckengaust) in [actions/dependency-review-action#1084](https://redirect.github.com/actions/dependency-review-action/pull/1084) > * Bump spdx-license-ids from 3.0.20 to 3.0.23 by [`@mongolyy`](https://github.com/mongolyy) in [actions/dependency-review-action#1091](https://redirect.github.com/actions/dependency-review-action/pull/1091) > * docs: bump actions/checkout from v4 to v6 in workflow examples by [`@Marukome0743`](https://github.com/Marukome0743) in [actions/dependency-review-action#1077](https://redirect.github.com/actions/dependency-review-action/pull/1077) > * fix: patched version display for advisories with non-strict semver ranges (e.g. Maven beta versions) by [`@tspascoal`](https://github.com/tspascoal) in [actions/dependency-review-action#1076](https://redirect.github.com/actions/dependency-review-action/pull/1076) > * Resolve security findings by [`@AshelyTC`](https://github.com/AshelyTC) in [actions/dependency-review-action#1094](https://redirect.github.com/actions/dependency-review-action/pull/1094) > * v5.0.0 release branch by [`@ahpook`](https://github.com/ahpook) in [actions/dependency-review-action#1098](https://redirect.github.com/actions/dependency-review-action/pull/1098) > > New Contributors > ---------------- > > * [`@scottschreckengaust`](https://github.com/scottschreckengaust) made their first contribution in [actions/dependency-review-action#1084](https://redirect.github.com/actions/dependency-review-action/pull/1084) > * [`@mongolyy`](https://github.com/mongolyy) made their first contribution in [actions/dependency-review-action#1091](https://redirect.github.com/actions/dependency-review-action/pull/1091) > * [`@Marukome0743`](https://github.com/Marukome0743) made their first contribution in [actions/dependency-review-action#1077](https://redirect.github.com/actions/dependency-review-action/pull/1077) > > **Full Changelog**: <actions/dependency-review-action@v4.9.0...v5.0.0> Commits * [`a1d282b`](actions/dependency-review-action@a1d282b) Merge pull request [#1098](https://redirect.github.com/actions/dependency-review-action/issues/1098) from actions/ahpook/v5-release * [`eb6c199`](actions/dependency-review-action@eb6c199) update examples to show [`@v5`](https://github.com/v5) * [`3943c2c`](actions/dependency-review-action@3943c2c) v5.0.0 release branch * [`454943c`](actions/dependency-review-action@454943c) Merge pull request [#1094](https://redirect.github.com/actions/dependency-review-action/issues/1094) from actions/ashelytc/security-findings * [`6d92a12`](actions/dependency-review-action@6d92a12) revert `@typescript-eslint/parser` update * [`a8e5a7e`](actions/dependency-review-action@a8e5a7e) Merge pull request [#1076](https://redirect.github.com/actions/dependency-review-action/issues/1076) from tspascoal/fix-version-matching-for-non-string-s... * [`b6b7079`](actions/dependency-review-action@b6b7079) update `@typescript-eslint/parser` to 8.40.0 * [`821a21d`](actions/dependency-review-action@821a21d) update more dependencies * [`05aaaae`](actions/dependency-review-action@05aaaae) run npm audit fix * [`55d3e75`](actions/dependency-review-action@55d3e75) Merge pull request [#1077](https://redirect.github.com/actions/dependency-review-action/issues/1077) from Marukome0743/docs/checkout * Additional commits viewable in [compare view](actions/dependency-review-action@2031cfc...a1d282b) [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When showing patched versions in the vulnerability summary, advisories with version ranges containing non-strict semver components — such as Maven's >= 2.0-beta9, < 2.25.3 — would display "N/A" instead of the correct patched version. This happened because semver.validRange() rejects range bounds like 2.0-beta9 (missing the patch segment, e.g. 2.0.0-beta9), causing the versionInRange function to fail range validation and fall through to its fail-open default of no match. The fix adds a coercion step in fail-open mode that rewrites invalid version components within the range string to their nearest valid semver equivalents (e.g. 2.0-beta9 → 2.0.0) before retrying validation, allowing the patched version lookup to succeed without affecting the fail-closed vulnerability detection path.
Adds test case for maven and another for golang for extra coverage
Improvements to version range handling:
versionInRangefunction insrc/summary.tsto attempt coercion of invalid version components within the range string for "fail-open" mode, improving support for non-strict semver formats (e.g., converting2.0-beta9to2.0.0-beta9) and increasing compatibility with real-world advisories.versionInRangeto use a mutablevalidRangevariable, preparing for additional range coercion logic.Expanded test coverage for vulnerability summary logic:
GHSA-vc5p-v9hr-52mj) with a complex version range, ensuring the summary correctly identifies the patched version.GHSA-r9w3-57w2-gch2) with a pseudo-version range, verifying correct patched version reporting and API usage.Closes #1075