advisory-database icon indicating copy to clipboard operation
advisory-database copied to clipboard
verified publisher icon github

Advisory GHSA-xffm-g5w8-qvg7 has incorrect fix version

Open d-ellis opened this issue 5 months ago • 2 comments

The advisory against @eslint/plugin-kit (GHSA-xffm-g5w8-qvg7) has an incorrect fix version. It is marked as affecting versions < 0.3.3, and being patched in the 0.3.3 release, however it wasn't actually patched until the 0.3.4 release, which you can see by tracing the commit https://github.com/eslint/rewrite/commit/b283f64099ad6c6b5043387c091691d21b387805 and by checking the releases tab eslint/rewrite v0.3.4.

The advisory should be updated to show the correct patched version.

d-ellis avatar Jul 25 '25 09:07 d-ellis

Hi @d-ellis, Thanks for bringing this to our attention. After reviewing the commit, release notes, and the related PR, there does appear to be a discrepancy between the fix version of 0.3.4 found in the references and the currently stated fix version of 0.3.3. I am tagging @fasttime, as he is the creator of this security advisory and may be able to offer more insight into this issue.

helixplant avatar Jul 25 '25 19:07 helixplant

Thanks for the report @d-ellis and @helixplant. I've corrected the original advisory https://github.com/eslint/rewrite/security/advisories/GHSA-xffm-g5w8-qvg7 to indicate package versions <0.3.4 as affected. Please, feel free to update the information in this repo as well.

fasttime avatar Jul 28 '25 08:07 fasttime