Closed spencerschrock closed 1 year ago
@G-Rath Can you take a look? Thanks!
That is the actual version of the package: https://github.com/angular/domino/blob/main/package.json#L3
It's a valid semantic version but Yarn v1 strips out build metadata - Yarn Berry and NPM v7+ however don't
Out of curiosity, does 2.1.6+git
vs 2.1.6
make a difference when the call bubbles up to osv.dev?
It shouldn't because build metadata is meant to be ignored when comparing versions
Saw this today running
osv-scanner
indirectly through Scorecard.The offending line is here, which was added recently here
I see the
+
symbol is used for build info in npm semver, but I have no idea if this is a validyarn.lock
file (similar to #142 ) with any version of yarn.Not a
yarn
user, tried a few things and got different (valid) lockfiles. Not sure what Angular did to get theirs. Runningyarn add domino@2.1.6
yields:And
yarn add https://github.com/angular/domino.git#f2435fe1f9f7c91ade0bd472c4723e5eacd7d19a
proudces: