Invalid number of vulnerabilities reported when signed in

[matauth0]

When using the extension without authentication proper number of vulnerabilities seem to be presented inline - 9 - while when signed-in extension reports 15 vulnerabilities inline and 9 in output panel.

In order to reproduce:

• run npm init
• add two dependencies - lodash@4.0.0 and express@3.0.0
• create index.js requiring both
• open index.js in VS code with vuln cost not authenticated, you'll see 9 vulnerabilities next to express require
• now authenticate extension - you'll see 15 vulnerabilities next to express require

package.json: { "name": "snyk-vuln-cost", "version": "1.0.0", "description": "", "main": "index.js", "scripts": { "test": "echo \"Error: no test specified\" && exit 1" }, "author": "", "license": "ISC", "dependencies": { "express": "3.0.0", "lodash": "4.0.0" } }

index.js: const app = require('express') const _ = require('lodash')

[thisislawatts]

Heya @matauth0,

Thanks so much for taking the time to detail the steps to reproduce the issue 🙏

The authenticated and unauthenticated requests hit different parts of our system which take slightly different approaches to vulnerabilities when they appear multiple times within a single package. The former counts each instance of a vulnerability within a package, whereas the unauthenticated view will group these vulnerabilities based on a unique ID. If you take a look at this example you can see appears multiple times as it has been introduced through 4 paths.

I've raised a PR to improve consistency #21

[matauth0]

Thank you!

[thisislawatts]

:tada: This issue has been resolved in version 1.2.0 :tada:

The release is available on GitHub release

Your semantic-release bot :package::rocket: