Skip to content

osv: backport ECOSYSTEM skip to stable-1.5.44#1913

Open
jvdm wants to merge 1 commit into
quay:stable-1.5.44from
jvdm:jvdm-backport-ecosystem-skip-1.5.44
Open

osv: backport ECOSYSTEM skip to stable-1.5.44#1913
jvdm wants to merge 1 commit into
quay:stable-1.5.44from
jvdm:jvdm-backport-ecosystem-skip-1.5.44

Conversation

@jvdm

@jvdm jvdm commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

Backport of #1908 to stable-1.5.44 for the ACS 4.9.x v2 vulnerability bundle stream.

Adapted for the v1.5.44 API: uses zlog instead of slog, skipped.Ignored as a slice append instead of a method call.

Context: ROX-34975

@jvdm
osv: skip ECOSYSTEM ranges for Go and npm
febf5e4 
The GitHub Advisory Database published advisories for the npm package
nocodb using ECOSYSTEM range type instead of SEMVER (e.g.,
GHSA-4w6r-5c2j-qf5f). This happens because nocodb switched to
calendar-based versioning (2026.04.1), which is not valid SemVer 2.0 —
the advisory database chose ECOSYSTEM accordingly.

The parser currently returns a hard error for ECOSYSTEM ranges on Go
and npm ecosystems, added as a defensive check in a607a05 and
87be024. This error propagates through Parse, aborting the entire
ecosystem update.

This change skips the range with a warning instead, using the same
pattern as GIT ranges. The advisory is recorded via stats.Ignored.

Signed-off-by: J. Victor Martins <jvdm@sdf.org>
@jvdm jvdm requested a review from a team as a code owner June 11, 2026 21:05
@jvdm jvdm requested review from hdonnay and removed request for a team June 11, 2026 21:05
dcaravel
dcaravel previously approved these changes Jun 11, 2026
View reviewed changes
@dcaravel dcaravel self-requested a review June 11, 2026 23:31
@dcaravel dcaravel dismissed their stale review June 11, 2026 23:31

Need to verify this doesn't include the link fragment change or will break existing users.

dcaravel
dcaravel approved these changes Jun 11, 2026
View reviewed changes

@dcaravel dcaravel left a comment
edited
Loading

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - IMO focus on this one first as v2 is what is most impacting current users.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dcaravel dcaravel dcaravel approved these changes

@hdonnay hdonnay Awaiting requested review from hdonnay hdonnay is a code owner automatically assigned from quay/clair

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jvdm @dcaravel