search

google / osv-scanner

Vulnerability scanner written in Go which uses the data provided by https://osv.dev
https://google.github.io/osv-scanner/
Apache License 2.0
6.15k stars 347 forks source link

Guided Remediation support for npm peerDependencies #1026

Open michaelkedar opened 3 months ago

michaelkedar commented 3 months ago

Currently, guided remediation does not consider peerDependencies when making patches, which can (often?) result in a proposed patch having incompatible peer dependencies, which is a resolution failure in npm.

This is mostly because the deps.dev resolver we use was based on npm version 6, which does not automatically install or verify peerDependencies. Currently, we use the --legacy-peer-deps flag to ignore the problems found in modern npm versions. Ideally the resolver should evaluate peers, since we're possibly missing some vulnerabilities from implicitly included. Though this needs a change on the deps.dev side of things.

Still, we'd need to detect and fix issues in patches affecting peerDependencies. This probably requires a step after resolution to check for peerDependencies among the direct dependencies, and update the peer package if the version constraints are not correctly satisfied, and re-resolve.

github-actions[bot] commented 1 month ago

This issue has not had any activity for 60 days and will be automatically closed in two weeks