Closed Loki-Afro closed 9 months ago
@Loki-Afro The Action will block any PR containing vulnerable dependencies, even if they already existed in the code (as long as the manifest file is touched). I recommend using the allow-ghsas
configuration option to make an exception for existing vulnerabilities you're already aware of.
when updating a dependency, dependency-review blocked complained because it found a "new" vulnerability
but that vulnerability was already in the code, so it should not have blocked that pr.
keep in mind that this is an npm project, you can also find the specific commit here: https://github.com/hpi-schul-cloud/schulcloud-server/commit/ffc78d56f2293bc2e8312f2bc1205d5b435ee722
here are the results from the logs
i guess this is due to that this dependency was installed twice, or in other words, it was present multiple times in the package-lock.json file, probably once installed like so
node_modules/some-dep/node_modules/mongodb
i'm not an npm expert but given that one flatten the results afterwards anyway, shouldn't it just dismiss this issue?=