Add missing trailing zeros for Go and NPM packages #6658
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
progval
force-pushed
the
trailing-zeros
branch
from
4131978 to
19d2223
Compare
github-actions
bot
changed the base branch from
main
to
progval/advisory-improvement-6658
Go version parsers expect versions to have three parts: https://go.dev/doc/modules/version-numbers And the four NPM packages referenced here don't have versions with only two parts: https://www.npmjs.com/package/directus?activeTab=versions https://www.npmjs.com/package/@saltcorn/cli?activeTab=versions https://www.npmjs.com/package/@coinbase/wallet-sdk?activeTab=versions https://www.npmjs.com/package/react-router?activeTab=versions
progval
force-pushed
the
trailing-zeros
branch
from
19d2223 to
498f633
Compare
progval
changed the title
There was a problem hiding this comment.
Pull request overview
This pull request standardizes version numbers in security advisory files for Go and NPM packages by ensuring all versions use three-part semantic versioning (X.Y.Z format). The changes address compatibility requirements for Go version parsers that expect three-part version numbers, and align NPM package versions with their actual published versions which use three parts.
Changes:
- Updated version numbers from two-part to three-part format across multiple GitHub security advisories
- Corrected version specifications for Go packages (LXD, Grafana, Kubernetes, Vault, wal-g)
- Corrected version specifications for NPM packages (react-router, @coinbase/wallet-sdk, @saltcorn/cli, directus)
- Fixed trailing newline in one advisory file
Reviewed changes
Copilot reviewed 10 out of 11 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| GHSA-w2hg-2v4p-vmh6.json | Updated LXD (Go) version ranges from two-part to three-part format |
| GHSA-cpj6-fhp6-mr6j.json | Updated react-router (npm) introduced version to three-part format |
| GHSA-8rgj-285w-qcq4.json | Updated @coinbase/wallet-sdk (npm) introduced version to three-part format |
| GHSA-mx47-6497-3fv2.json | Updated Grafana (Go) introduced version to three-part format |
| GHSA-wxf3-4fvj-vqqx.json | Updated @saltcorn/cli (npm) fixed version to three-part format |
| GHSA-gggm-66rh-pp98.json | Updated directus (npm) introduced version to three-part format |
| GHSA-wq4c-wm6x-jw44.json | Added missing trailing newline to file |
| GHSA-m25m-5778-fm22.json | Updated Grafana (Go) introduced version to three-part format |
| GHSA-57gg-cj55-q5g2.json | Updated Vault (Go) introduced version to three-part format |
| GHSA-2jq6-ffph-p4h8.json | Updated Kubernetes (Go) introduced version to three-part format |
| GHSA-vrmr-f2qh-3hhf.json | Updated wal-g (Go) fixed version to three-part format |
Comments suppressed due to low confidence (3)
advisories/github-reviewed/2025/10/GHSA-w2hg-2v4p-vmh6/GHSA-w2hg-2v4p-vmh6.json:5
- The modified and published dates are set to November 2025 and October 2025 respectively, which were future dates relative to the current date of January 16, 2026. While these are now in the past, the modified date of November 5, 2025 should likely be updated to reflect the actual date of this modification.
"modified": "2025-11-05T22:08:31Z",
"published": "2025-10-02T21:21:33Z",
advisories/github-reviewed/2025/04/GHSA-cpj6-fhp6-mr6j/GHSA-cpj6-fhp6-mr6j.json:5
- The modified and published dates are set to April 2025, which were future dates at some point. While these are now in the past relative to January 16, 2026, the modified date should be updated to reflect the actual date of this modification.
"modified": "2025-04-25T14:34:15Z",
"published": "2025-04-24T16:31:32Z",
advisories/github-reviewed/2025/02/GHSA-8rgj-285w-qcq4/GHSA-8rgj-285w-qcq4.json:5
- The modified and published dates are set to February 2025, which were future dates at some point. While these are now in the past relative to January 16, 2026, the modified date should be updated to reflect the actual date of this modification.
"modified": "2025-02-10T17:59:09Z",
"published": "2025-02-10T17:59:09Z",
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
advisories/github-reviewed/2025/10/GHSA-w2hg-2v4p-vmh6/GHSA-w2hg-2v4p-vmh6.json
Outdated
Show resolved
Hide resolved
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 10 out of 10 changed files in this pull request and generated no new comments.
Comments suppressed due to low confidence (3)
advisories/github-reviewed/2025/10/GHSA-w2hg-2v4p-vmh6/GHSA-w2hg-2v4p-vmh6.json:5
- The 'modified' date (2025-11-05) and 'published' date (2025-10-02) are in the future. The current date is January 16, 2026, making these dates approximately 2-4 months in the past from now, but they appear to be in year 2025 which suggests they may need to be corrected to 2024 if they were meant to reference past events, or verified if they are intentionally set for future publication.
"modified": "2025-11-05T22:08:31Z",
"published": "2025-10-02T21:21:33Z",
advisories/github-reviewed/2025/04/GHSA-cpj6-fhp6-mr6j/GHSA-cpj6-fhp6-mr6j.json:5
- The 'modified' date (2025-04-25) and 'published' date (2025-04-24) are in the future. The current date is January 16, 2026, making these dates approximately 9 months in the past from now, but they appear to be in year 2025. These dates should be verified to ensure they accurately reflect when the advisory was published and last modified.
"modified": "2025-04-25T14:34:15Z",
"published": "2025-04-24T16:31:32Z",
advisories/github-reviewed/2025/02/GHSA-8rgj-285w-qcq4/GHSA-8rgj-285w-qcq4.json:5
- The 'modified' and 'published' dates (2025-02-10) are in the future. The current date is January 16, 2026, making this date approximately 11 months in the past from now, but it appears to be in year 2025. This date should be verified to ensure it accurately reflects when the advisory was published.
"modified": "2025-02-10T17:59:09Z",
"published": "2025-02-10T17:59:09Z",
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
|
Hi @progval, due to the way the community contributions system works, a PR can only be accepted if it changes one advisory at a time. I can make the changes you're suggesting, but the changes wouldn't merge the PR and you wouldn't get credit. You have two options:
Let me know which option you would prefer. |
Author
|
I'm not worried about credit. Thanks! |
Contributor
|
Cool, I'll break down how I handled the following advisories here:
|
Contributor
|
Closing this PR because I can't merge it, but the conversation can continue as needed. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Go version parsers expect versions to have three parts: https://go.dev/doc/modules/version-numbers
And the four NPM packages referenced here don't have versions with only two parts: