Open hyangah opened 1 year ago
findleyr
commented
1 year ago Hmm, I'm not sure that this matches the scope of the versions tab. Listing packages may be distracting and/or misleading.
Aside: it would be nice if the vulnerability pages defined what it means for a package or symbol to be affected.
kleinkk76
commented
9 months ago https://pkg.go.dev/golang.org/x/text?tab=versions
A module may contain multiple packages. When browsing the module's version history, the versions tab provides vulnerability info. However, it's hard to figure out whether a vulnerability affects the entire module, or only a certain package.
For example, GO-2022-1059 affects golang.org/x/text/language, but visible from pkg.go.dev/golang.org/x/text?tab=versions and it's not obvious that this vulnerability affects only golang.org/x/text/language.
OTOH, if other packages in the module "transitively" depend on golang.org/x/text/language, I wonder if they are included in the osv entry. https://github.com/golang/go/issues/60579#issue-1738511488
https://pkg.go.dev/golang.org/x/text?tab=versions
A module may contain multiple packages. When browsing the module's version history, the versions tab provides vulnerability info. However, it's hard to figure out whether a vulnerability affects the entire module, or only a certain package.
For example, GO-2022-1059 affects golang.org/x/text/language, but visible from pkg.go.dev/golang.org/x/text?tab=versions and it's not obvious that this vulnerability affects only golang.org/x/text/language.
OTOH, if other packages in the module "transitively" depend on golang.org/x/text/language, I wonder if they are included in the osv entry.