G-Rath
Repos
102
Followers
31
Following
1

ESLint plugin for Jest

999
206

IntelliJ plugin that lets you restart the ESLint service

0
1

IntelliJ plugin that lets you fold methods in Ruby & Javascript

5
2

A collection of useful scripts & loose code - PRs welcome!

2
0

Events

issue comment
S3FilesStore can use a lot of memory

I've submitted an update to the advisory on GitHub to reflect that this has not been addressed in 2.8

Created at 2 hours ago
create branch
G-Rath create branch G-Rath-GHSA-h7wm-ph43-c39p
Created at 2 hours ago
pull request opened
[GHSA-h7wm-ph43-c39p] Scrapy denial of service vulnerability

Updates

  • Affected products

Comments Still not patched

Created at 2 hours ago

Improve GHSA-h7wm-ph43-c39p

Created at 2 hours ago
issue comment
Add `io.Reader` variants to `lockfile` package

fwiw I've made a start on this - patch is attached; main thing I'm still doing is figuring out how to make the JSON/YAML/TOML/XML parsers play nice with an io.Reader, and then the test suites for all parsers should probably be turned into a couple of table-based tests so that they can easily run against both the file and io.Reader versions of each function.

Am pausing for now in favor of #81, but will hopefully be able to have it done in a couple of weeks.

Index: pkg/lockfile/parse-yarn-lock.go
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/pkg/lockfile/parse-yarn-lock.go b/pkg/lockfile/parse-yarn-lock.go
--- a/pkg/lockfile/parse-yarn-lock.go	(revision 5df9444f04bc86e3c64e68ef65bc8e2711edb32c)
+++ b/pkg/lockfile/parse-yarn-lock.go	(date 1675375026394)
@@ -3,6 +3,7 @@
 import (
 	"bufio"
 	"fmt"
+	"io"
 	"net/url"
 	"os"
 	"regexp"
@@ -170,19 +171,33 @@
 	}
 }
 
-func ParseYarnLock(pathToLockfile string) ([]PackageDetails, error) {
+func parseFileWithReader(pathToLockfile string, parserWithReader PackageDetailsParserWithReader) ([]PackageDetails, error) {
 	file, err := os.Open(pathToLockfile)
 	if err != nil {
 		return []PackageDetails{}, fmt.Errorf("could not open %s: %w", pathToLockfile, err)
 	}
 	defer file.Close()
 
-	scanner := bufio.NewScanner(file)
+	details, err := parserWithReader(file)
+
+	if err != nil {
+		err = fmt.Errorf("error while parsing %s: %w", pathToLockfile, err)
+	}
+
+	return details, err
+}
+
+func ParseYarnLock(pathToLockfile string) ([]PackageDetails, error) {
+	return parseFileWithReader(pathToLockfile, ParseYarnLockWithReader)
+}
+
+func ParseYarnLockWithReader(r io.Reader) ([]PackageDetails, error) {
+	scanner := bufio.NewScanner(r)
 
 	packageGroups := groupYarnPackageLines(scanner)
 
 	if err := scanner.Err(); err != nil {
-		return []PackageDetails{}, fmt.Errorf("error while scanning %s: %w", pathToLockfile, err)
+		return []PackageDetails{}, err
 	}
 
 	packages := make([]PackageDetails, 0, len(packageGroups))
Index: pkg/lockfile/parse-requirements-txt.go
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/pkg/lockfile/parse-requirements-txt.go b/pkg/lockfile/parse-requirements-txt.go
--- a/pkg/lockfile/parse-requirements-txt.go	(revision 5df9444f04bc86e3c64e68ef65bc8e2711edb32c)
+++ b/pkg/lockfile/parse-requirements-txt.go	(date 1675375316408)
@@ -2,8 +2,7 @@
 
 import (
 	"bufio"
-	"fmt"
-	"os"
+	"io"
 	"regexp"
 	"strings"
 )
@@ -92,15 +91,13 @@
 }
 
 func ParseRequirementsTxt(pathToLockfile string) ([]PackageDetails, error) {
+	return parseFileWithReader(pathToLockfile, ParseRequirementsTxtWithReader)
+}
+
+func ParseRequirementsTxtWithReader(r io.Reader) ([]PackageDetails, error) {
 	var packages []PackageDetails
 
-	file, err := os.Open(pathToLockfile)
-	if err != nil {
-		return packages, fmt.Errorf("could not open %s: %w", pathToLockfile, err)
-	}
-	defer file.Close()
-
-	scanner := bufio.NewScanner(file)
+	scanner := bufio.NewScanner(r)
 
 	for scanner.Scan() {
 		line := removeComments(scanner.Text())
@@ -113,7 +110,7 @@
 	}
 
 	if err := scanner.Err(); err != nil {
-		return packages, fmt.Errorf("error while scanning %s: %w", pathToLockfile, err)
+		return []PackageDetails{}, err
 	}
 
 	return packages, nil
Index: pkg/lockfile/parse-poetry-lock.go
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/pkg/lockfile/parse-poetry-lock.go b/pkg/lockfile/parse-poetry-lock.go
--- a/pkg/lockfile/parse-poetry-lock.go	(revision 5df9444f04bc86e3c64e68ef65bc8e2711edb32c)
+++ b/pkg/lockfile/parse-poetry-lock.go	(date 1675388656506)
@@ -3,7 +3,7 @@
 import (
 	"fmt"
 	"github.com/BurntSushi/toml"
-	"os"
+	"io"
 )
 
 type PoetryLockPackageSource struct {
@@ -25,18 +25,16 @@
 const PoetryEcosystem = PipEcosystem
 
 func ParsePoetryLock(pathToLockfile string) ([]PackageDetails, error) {
+	return parseFileWithReader(pathToLockfile, ParsePoetryLockWithReader)
+}
+
+func ParsePoetryLockWithReader(r io.Reader) ([]PackageDetails, error) {
 	var parsedLockfile *PoetryLockFile
 
-	lockfileContents, err := os.ReadFile(pathToLockfile)
+	_, err := toml.NewDecoder(r).Decode(&parsedLockfile)
 
 	if err != nil {
-		return []PackageDetails{}, fmt.Errorf("could not read %s: %w", pathToLockfile, err)
-	}
-
-	err = toml.Unmarshal(lockfileContents, &parsedLockfile)
-
-	if err != nil {
-		return []PackageDetails{}, fmt.Errorf("could not parse %s: %w", pathToLockfile, err)
+		return []PackageDetails{}, fmt.Errorf("could not parse: %w", err)
 	}
 
 	packages := make([]PackageDetails, 0, len(parsedLockfile.Packages))
Index: pkg/lockfile/parse.go
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/pkg/lockfile/parse.go b/pkg/lockfile/parse.go
--- a/pkg/lockfile/parse.go	(revision 5df9444f04bc86e3c64e68ef65bc8e2711edb32c)
+++ b/pkg/lockfile/parse.go	(date 1675384123861)
@@ -1,8 +1,10 @@
 package lockfile
 
 import (
+	"bytes"
 	"errors"
 	"fmt"
+	"io"
 	"path/filepath"
 	"sort"
 	"strings"
@@ -153,3 +155,10 @@
 		Packages: packages,
 	}, err
 }
+
+func readBytes(r io.Reader) []byte {
+	buf := new(bytes.Buffer)
+	buf.ReadFrom(r)
+
+	return buf.Bytes()
+}
Index: pkg/lockfile/parse-gradle-lock.go
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/pkg/lockfile/parse-gradle-lock.go b/pkg/lockfile/parse-gradle-lock.go
--- a/pkg/lockfile/parse-gradle-lock.go	(revision 5df9444f04bc86e3c64e68ef65bc8e2711edb32c)
+++ b/pkg/lockfile/parse-gradle-lock.go	(date 1675388734510)
@@ -3,7 +3,7 @@
 import (
 	"bufio"
 	"fmt"
-	"os"
+	"io"
 	"strings"
 )
 
@@ -37,14 +37,12 @@
 }
 
 func ParseGradleLock(pathToLockfile string) ([]PackageDetails, error) {
-	file, err := os.Open(pathToLockfile)
-	if err != nil {
-		return []PackageDetails{}, fmt.Errorf("could not open %s: %w", pathToLockfile, err)
-	}
-	defer file.Close()
+	return parseFileWithReader(pathToLockfile, ParseGradleLockWithReader)
+}
 
+func ParseGradleLockWithReader(r io.Reader) ([]PackageDetails, error) {
 	pkgs := make([]PackageDetails, 0)
-	scanner := bufio.NewScanner(file)
+	scanner := bufio.NewScanner(r)
 
 	for scanner.Scan() {
 		lockLine := strings.TrimSpace(scanner.Text())
@@ -54,7 +52,7 @@
 
 		pkg, err := parseToGradlePackageDetail(lockLine)
 		if err != nil {
-			fmt.Fprintf(os.Stderr, "failed to parse lockline: %s\n", err.Error())
+			// fmt.Fprintf(os.Stderr, "failed to parse lockline: %s\n", err.Error())
 			continue
 		}
 
@@ -62,7 +60,7 @@
 	}
 
 	if err := scanner.Err(); err != nil {
-		return []PackageDetails{}, fmt.Errorf("failed to read %s: %w", pathToLockfile, err)
+		return []PackageDetails{}, err
 	}
 
 	return pkgs, nil
Index: pkg/lockfile/parse-pubspec-lock_test.go
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/pkg/lockfile/parse-pubspec-lock_test.go b/pkg/lockfile/parse-pubspec-lock_test.go
--- a/pkg/lockfile/parse-pubspec-lock_test.go	(revision 5df9444f04bc86e3c64e68ef65bc8e2711edb32c)
+++ b/pkg/lockfile/parse-pubspec-lock_test.go	(date 1675387987210)
@@ -10,7 +10,7 @@
 
 	packages, err := lockfile.ParsePubspecLock("fixtures/pub/does-not-exist")
 
-	expectErrContaining(t, err, "could not read")
+	expectErrContaining(t, err, "could not open")
 	expectPackages(t, packages, []lockfile.PackageDetails{})
 }
 
@@ -219,3 +219,36 @@
 		},
 	})
 }
+
+// func TestParsePubspecLockWithReader_MixedPackages(t *testing.T) {
+// 	t.Parallel()
+//
+// 	packages, err := lockfile.ParsePubspecLockWithReader(openFileWithReader(t, "fixtures/pub/mixed-packages.lock"))
+//
+// 	if err != nil {
+// 		t.Errorf("Got unexpected error: %v", err)
+// 	}
+//
+// 	expectPackages(t, packages, []lockfile.PackageDetails{
+// 		{
+// 			Name:      "back_button_interceptor",
+// 			Version:   "6.0.1",
+// 			Ecosystem: lockfile.PubEcosystem,
+// 		},
+// 		{
+// 			Name:      "build_runner",
+// 			Version:   "2.2.1",
+// 			Ecosystem: lockfile.PubEcosystem,
+// 		},
+// 		{
+// 			Name:      "shelf",
+// 			Version:   "1.3.2",
+// 			Ecosystem: lockfile.PubEcosystem,
+// 		},
+// 		{
+// 			Name:      "shelf_web_socket",
+// 			Version:   "1.0.2",
+// 			Ecosystem: lockfile.PubEcosystem,
+// 		},
+// 	})
+// }
Index: pkg/lockfile/parse-pubspec-lock.go
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/pkg/lockfile/parse-pubspec-lock.go b/pkg/lockfile/parse-pubspec-lock.go
--- a/pkg/lockfile/parse-pubspec-lock.go	(revision 5df9444f04bc86e3c64e68ef65bc8e2711edb32c)
+++ b/pkg/lockfile/parse-pubspec-lock.go	(date 1675387907593)
@@ -3,7 +3,7 @@
 import (
 	"fmt"
 	"gopkg.in/yaml.v2"
-	"os"
+	"io"
 )
 
 type PubspecLockDescription struct {
@@ -61,18 +61,32 @@
 const PubEcosystem Ecosystem = "Pub"
 
 func ParsePubspecLock(pathToLockfile string) ([]PackageDetails, error) {
+	return parseFileWithReader(pathToLockfile, ParsePubspecLockWithReader)
+}
+
+
+// func ParsePubspecLockWithReader(r io.Reader) ([]PackageDetails, error) {
+// 	return parsePubspecLockContents(readBytes(r))
+// }
+
+// func ParsePubspecLock(pathToLockfile string) ([]PackageDetails, error) {
+// 	lockfileContents, err := os.ReadFile(pathToLockfile)
+//
+// 	if err != nil {
+// 		return []PackageDetails{}, fmt.Errorf("could not read %s: %w", pathToLockfile, err)
+// 	}
+//
+// 	return parsePubspecLockContents(lockfileContents)
+// }
+
+// func parsePubspecLockContents(lockfileContents []byte) ([]PackageDetails, error) {
+func ParsePubspecLockWithReader(r io.Reader) ([]PackageDetails, error) {
 	var parsedLockfile *PubspecLockfile
 
-	lockfileContents, err := os.ReadFile(pathToLockfile)
+	err := yaml.NewDecoder(r).Decode(&parsedLockfile)
 
 	if err != nil {
-		return []PackageDetails{}, fmt.Errorf("could not read %s: %w", pathToLockfile, err)
-	}
-
-	err = yaml.Unmarshal(lockfileContents, &parsedLockfile)
-
-	if err != nil {
-		return []PackageDetails{}, fmt.Errorf("could not parse %s: %w", pathToLockfile, err)
+		return []PackageDetails{}, fmt.Errorf("could not parse: %w", err)
 	}
 	if parsedLockfile == nil {
 		return []PackageDetails{}, nil
Index: pkg/lockfile/apk-installed.go
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/pkg/lockfile/apk-installed.go b/pkg/lockfile/apk-installed.go
--- a/pkg/lockfile/apk-installed.go	(revision 5df9444f04bc86e3c64e68ef65bc8e2711edb32c)
+++ b/pkg/lockfile/apk-installed.go	(date 1675383825828)
@@ -3,6 +3,7 @@
 import (
 	"bufio"
 	"fmt"
+	"io"
 	"os"
 	"sort"
 	"strings"
@@ -35,7 +36,7 @@
 	return groups
 }
 
-func parseApkPackageGroup(group []string, pathToLockfile string) PackageDetails {
+func parseApkPackageGroup(group []string) PackageDetails {
 	var pkg = PackageDetails{
 		Ecosystem: AlpineEcosystem,
 		CompareAs: AlpineEcosystem,
@@ -61,9 +62,8 @@
 
 		_, _ = fmt.Fprintf(
 			os.Stderr,
-			"warning: malformed APK installed file. Found no version number in record. Package %s. File: %s\n",
+			"warning: malformed APK installed file. Found no version number in record. Package %s.\n",
 			pkgPrintName,
-			pathToLockfile,
 		)
 	}
 
@@ -71,26 +71,23 @@
 }
 
 func ParseApkInstalled(pathToLockfile string) ([]PackageDetails, error) {
-	file, err := os.Open(pathToLockfile)
-	if err != nil {
-		return []PackageDetails{}, fmt.Errorf("could not open %s: %w", pathToLockfile, err)
-	}
-	defer file.Close()
+	return parseFileWithReader(pathToLockfile, ParseApkInstalledWithReader)
+}
 
-	scanner := bufio.NewScanner(file)
+func ParseApkInstalledWithReader(r io.Reader) ([]PackageDetails, error) {
+	scanner := bufio.NewScanner(r)
 
 	packageGroups := groupApkPackageLines(scanner)
 
 	packages := make([]PackageDetails, 0, len(packageGroups))
 
 	for _, group := range packageGroups {
-		pkg := parseApkPackageGroup(group, pathToLockfile)
+		pkg := parseApkPackageGroup(group)
 
 		if pkg.Name == "" {
 			_, _ = fmt.Fprintf(
 				os.Stderr,
-				"warning: malformed APK installed file. Found no package name in record. File: %s\n",
-				pathToLockfile,
+				"warning: malformed APK installed file. Found no package name in record.\n",
 			)
 
 			continue
@@ -100,7 +97,7 @@
 	}
 
 	if err := scanner.Err(); err != nil {
-		return packages, fmt.Errorf("error while scanning %s: %w", pathToLockfile, err)
+		return []PackageDetails{}, err
 	}
 
 	return packages, nil
Index: pkg/lockfile/helpers_test.go
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/pkg/lockfile/helpers_test.go b/pkg/lockfile/helpers_test.go
--- a/pkg/lockfile/helpers_test.go	(revision 5df9444f04bc86e3c64e68ef65bc8e2711edb32c)
+++ b/pkg/lockfile/helpers_test.go	(date 1675386229714)
@@ -3,10 +3,24 @@
 import (
 	"fmt"
 	"github.com/google/osv-scanner/pkg/lockfile"
+	"io"
+	"os"
 	"strings"
 	"testing"
 )
 
+func openFileWithReader(t *testing.T, pathToFile string) io.Reader {
+	t.Helper()
+
+	file, err := os.Open(pathToFile)
+	if err != nil {
+		t.Fatalf("could not open %s: %v", pathToFile, err)
+	}
+	defer file.Close()
+
+	return file
+}
+
 func expectErrContaining(t *testing.T, err error, str string) {
 	t.Helper()
 
Index: pkg/lockfile/parse-mix-lock.go
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/pkg/lockfile/parse-mix-lock.go b/pkg/lockfile/parse-mix-lock.go
--- a/pkg/lockfile/parse-mix-lock.go	(revision 5df9444f04bc86e3c64e68ef65bc8e2711edb32c)
+++ b/pkg/lockfile/parse-mix-lock.go	(date 1675383495999)
@@ -3,6 +3,7 @@
 import (
 	"bufio"
 	"fmt"
+	"io"
 	"os"
 	"regexp"
 	"strings"
@@ -11,15 +12,13 @@
 const MixEcosystem Ecosystem = "Hex"
 
 func ParseMixLock(pathToLockfile string) ([]PackageDetails, error) {
-	file, err := os.Open(pathToLockfile)
-	if err != nil {
-		return []PackageDetails{}, fmt.Errorf("could not open %s: %w", pathToLockfile, err)
-	}
-	defer file.Close()
+	return parseFileWithReader(pathToLockfile, ParseMixLockWithReader)
+}
 
+func ParseMixLockWithReader(r io.Reader) ([]PackageDetails, error) {
 	re := regexp.MustCompile(`^ +"(\w+)": \{.+,$`)
 
-	scanner := bufio.NewScanner(file)
+	scanner := bufio.NewScanner(r)
 
 	var packages []PackageDetails
 
@@ -70,7 +69,7 @@
 	}
 
 	if err := scanner.Err(); err != nil {
-		return []PackageDetails{}, fmt.Errorf("error while scanning %s: %w", pathToLockfile, err)
+		return []PackageDetails{}, err
 	}
 
 	return packages, nil
Index: pkg/lockfile/types.go
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/pkg/lockfile/types.go b/pkg/lockfile/types.go
--- a/pkg/lockfile/types.go	(revision 5df9444f04bc86e3c64e68ef65bc8e2711edb32c)
+++ b/pkg/lockfile/types.go	(date 1675374961495)
@@ -1,5 +1,7 @@
 package lockfile
 
+import "io"
+
 type PackageDetails struct {
 	Name      string    `json:"name"`
 	Version   string    `json:"version"`
@@ -11,3 +13,4 @@
 type Ecosystem string
 
 type PackageDetailsParser = func(pathToLockfile string) ([]PackageDetails, error)
+type PackageDetailsParserWithReader = func(r io.Reader) ([]PackageDetails, error)
Created at 5 hours ago
pull request closed
chore(deps): update @typescript-eslint/utils from 5.10.0 to 5.50.0

https://github.com/typescript-eslint/typescript-eslint/releases

The repo is using @typescript-eslint/utils 5.10.0 which is now a year old.

This package contains a minimum and maximum TypeScript version and logs a console warning if using TS outside of this range.

In version 5.10.0 this is >=3.3.1 <4.8.0.

TypeScript is now on version 4.9.5 with the 5.0.0 beta released.

For anyone outside of this range when running linting the following error is logged:

=============

WARNING: You are currently running a version of TypeScript which is not officially supported by @typescript-eslint/typescript-estree.

You may find that it works just fine, or you may not.

SUPPORTED TYPESCRIPT VERSIONS: >=3.3.1 <4.8.0

YOUR TYPESCRIPT VERSION: 4.8.4

Please only submit bug reports when using the officially supported version.

=============

This PR updates to the latest version, which has a range of >=3.3.1 <5.0.0.

Created at 5 hours ago
chore(deps): update @typescript-eslint/utils from 5.10.0 to 5.50.0

hmm I find that a bit suspect - all other things being up to date and equal, npm v8 should not be picking v5.15.0 for our plugin because that's just not how package constraints work and npm very much knows that.

The main other thing I'd try more as a proof of concept than anything else is removing our plugin + the typescript ones (and anything else you might have that depend on them), and then reinstalling them in a single npm install command (make sure to completely wipe out your node_modules first!)

I'll close this now though since we've established the issue lies with the package manager rather than with our constraint.

Created at 5 hours ago
chore(deps): update @typescript-eslint/utils from 5.10.0 to 5.50.0

The range I was referring to was the TS range - which extends rather than tightens.

That range is already that wide with our current constraint, because as a set that includes all versions it thus covers all those TypeScript ranges as well.

however so far I cannot get this to alter our lockfile to allow eslint-plugin-jest to be anything other than the snippet shared above.

If you share a reproduction repo, I'm happy to give it a go locally - I do have an expanded version of that script locally which I think might make the difference, but I've not pushed it up yet because I've not tested it extensively.

Created at 5 hours ago
chore(deps): update @typescript-eslint/utils from 5.10.0 to 5.50.0

i.e. it does not introduce breaking changes, it widens a range rather than tightens it, it does not seem a restrictive change there?

No, it only tightens the range because we've now gone from supporting >= 5.10.0, < 6, to >= 5.50.0, < 6 - the second range is a subset of the first range, meaning all the versions that are compatible with that range are already compatible with the first range.

At what point does eslint-plugin-jest normally consider it good practice to bump a package?

When we actually need to - our constraint is a year out of date, but you can use the most recent versions (which we ourselves are doing) just fine so there's no need to update our constraint.

Causing the need for manual intervention in lockfiles for consumers is the reason to update to me - while it may be a minor frustration, it is also a very minor update to fix it, from the perspective of our team's dependency practices.

I love an efficiently deduplicated tree as well, but this problem is not created by us - its a result of an inefficiency in the package manager; our constraint allows the deduplication you're after, it's the package manager whose not doing it - while yes we could attempt to force that deduplication with this PR, it could have the exact opposite effect on someone else's lockfile.

The answer here is what we're already doing: a constraint that is for the minimum version we require, but ideally no higher to allow the maximum deduplication potential.

Created at 5 hours ago
chore(deps): update @typescript-eslint/utils from 5.10.0 to 5.50.0

That is an implementation detail of the package manager, which can change between tool, versions, etc - fwiw if I do npm i eslint-plugin-jest on a fresh project I get v5.50.0; deduplication in particular has always been something that package managers have differed on. (I would expect you can run npm_remove_package_from_lock @typescript-eslint/utils and then npm install will give you the deduplication you want)

Likewise, it actually causing problems with things like what TypeScript version is supported is not something we need to care about beyond the versions we support - so the fact that right now the version ranges happen to start with the same version doesn't mean that they will in future, but also is not something we need to think much about (i.e. while it would be going against semver, it is possible that v5.51.0 could drop support for those earlier versions of TypeScript).

Tightening the constraint in this case just means that there are less versions that can be used, restricting what people can use and making it harder to deduplicate.

To put it another way, is there a problem that this will fix?

Created at 6 hours ago
chore(deps): update @typescript-eslint/utils from 5.10.0 to 5.50.0

No, we support as far back as v5.10.0 but we use whatever version is installed by the downstream package manager which is guaranteed by our dependency constraint to be between v5.10.0 and v6, and that is generally the most recent version possible.

Created at 6 hours ago
issue comment
feat: support `--parse-as` flag

note the documentation is a little ham-y right now, but I think that'll be easier to improve once #168 is landed because then there'll be two cases like this.

Created at 11 hours ago

fix: adjust error message

fix: change installed to apk-installed

Created at 11 hours ago

Add experimental comment (#173)

Make OSV api public (#167)

  • Make OSV api public

  • Add osv file

  • Add commend on public function

  • Removed v1, made maxQueriesPerRequest private

  • Fix bug


Co-authored-by: Oliver Chang oliverchang@users.noreply.github.com

Log number of packages scanned from SBOMs. (#179)

APK: fix test function (#180)

feat: Render output as a markdown table for use in github comments (#156)

    • render output as markdown table (rebase)
    • Run gofmt -s on main.go
  • Fix import

  • Merge markdown and table logic into one function


Co-authored-by: Rex Pan rexpan@google.com Co-authored-by: Rex P 106129829+another-rex@users.noreply.github.com

feat: support --parse-as flag

feat: implement parse-as as a map

fix: avoid panicking when --parse-as does not have :

feat: support parsing installed files explicitly via --parse-as

refactor: rename parseAsMap variable as it sounds like it could be a boolean flag

chore: ignore linting error since it just creates another linting error and this is the better code

feat: merge --parse-as functionality into --lockfile

fix: adjust error message

fix: change installed to apk-installed

Created at 11 hours ago

Add experimental comment (#173)

Make OSV api public (#167)

  • Make OSV api public

  • Add osv file

  • Add commend on public function

  • Removed v1, made maxQueriesPerRequest private

  • Fix bug


Co-authored-by: Oliver Chang oliverchang@users.noreply.github.com

Log number of packages scanned from SBOMs. (#179)

APK: fix test function (#180)

feat: Render output as a markdown table for use in github comments (#156)

    • render output as markdown table (rebase)
    • Run gofmt -s on main.go
  • Fix import

  • Merge markdown and table logic into one function


Co-authored-by: Rex Pan rexpan@google.com Co-authored-by: Rex P 106129829+another-rex@users.noreply.github.com

Created at 11 hours ago
delete branch
G-Rath delete branch update-rails
Created at 11 hours ago

fix: update rails for security (#1495)

Addresses GHSA-8xww-x3g3-6jcv Addresses GHSA-p84v-45xj-wwqj Addresses GHSA-579w-22j4-4749 Addresses GHSA-hq7p-j377-6v63 Addresses GHSA-j6gc-792m-qgm2

Created at 11 hours ago
pull request closed
fix: update `rails` for security

Addresses GHSA-8xww-x3g3-6jcv Addresses GHSA-p84v-45xj-wwqj Addresses GHSA-579w-22j4-4749 Addresses GHSA-hq7p-j377-6v63 Addresses GHSA-j6gc-792m-qgm2

Created at 11 hours ago
issue comment
Double free security issue

This has been reported as GHSA-5gxp-c379-pj42 - is it possible get a new release with the fix so we can update?

Created at 12 hours ago
pull request opened
fix: update Ruby for security

Addresses CVE-2021-33621

Created at 12 hours ago
create branch
G-Rath create branch update-ruby
Created at 12 hours ago