Jwomers
commented
1 year ago Hi @buhtz! Thanks for sending this through. This is an interesting edge case that we need to handle better. Are you aware of some good examples in the Python ecosystem where we could study this and learn from? Also, do you have any ideas from your side on how we would tackle this? What repeatable process could we follow to track this, both on the patch side and separately the scanner side? Just curious to hear your thoughts :) Thanks!
How does safety identify the version of a package? Does it take into account that it might be "old" but have security fixes backported by the distro maintainers. This happens often at Debian for example. The package version might by old (e.g. 2.1) but it does have security fixes provided by upstream in the a newer version only (e.g. 2.6). But the distro maintainers do take such fixes and backport them to their old version.
Does safety notice this?