Correct js-toml fixed version#8430
Conversation
|
Audit note: I could not validate moving GHSA-wp3c-266w-4qfq from fixed version 1.1.1 to 1.1.2. The published GitHub Advisory lists first_patched_version 1.1.1 and vulnerable_version_range <= 1.1.0, and the v1.1.1 release notes reference GHSA-wp3c-266w-4qfq with guidance to upgrade users on 1.1.0 or earlier to 1.1.1. The v1.1.2 release notes appear to cover a different advisory, GHSA-m34p-749j-x6m6. The PR head JSON validates against the OSV schema, but based on the public advisory and release metadata, keeping the fixed version at 1.1.1 appears more consistent unless there is another source for treating 1.1.1 as affected. |
|
Closing after re-audit. The upstream advisory and v1.1.1 release identify GHSA-wp3c-266w-4qfq as fixed in 1.1.1 with vulnerable range <= 1.1.0, while v1.1.2 covers GHSA-m34p-749j-x6m6. This PR should not be merged as proposed. |
Corrects GHSA-wp3c-266w-4qfq to use js-toml 1.1.2 as the first fixed npm package version.
The 1.1.1 npm package still accepts the over-limit radix literal, while 1.1.2 rejects it and ships the fixed parser output. Adds the fixed package reference and source tag.