Navigation

    Inedo Community Forums

    Forums
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    1. Home
    2. caterina
    3. Posts
    C
    • Profile
    • Following
    • Followers
    • Topics
    • Posts
    • Best
    • Groups

    Posts made by caterina

    • pgscan: lockfileVersion 3 for npm dependencies not supported

      We noticed that pgscan does not list any dependencies for one of our npm-projects.
      After debugging into it and comparing it with other npm-projects we noticed that there is a difference in the lockfileVersion of the package-lock.json files. The "problem-project" has lockfileVersion 3 while the others have lockfileVersion 2.
      pgscan tries to read the dependencies from the property "dependencies" which is a legacy-property from lockfileVersion 1. lockfileVerson 2 was downward compatible, but lockfileVersion 3 (used by npm v9) is not. The newest package-lock.json no longer has the property "dependencies" and all dependencies are part of the "packages"-property.
      Here is the official documentation about it: https://docs.npmjs.com/cli/v9/configuring-npm/package-lock-json/#lockfileversion

      Have you already noticed this breaking change in the package-lock.json files?

      I already opened an issue for this topic on ghithub:
      https://github.com/Inedo/pgscan/issues/33

      posted in Support
      C
      caterina
    • ProGet: Vulnerability assessment types - missing vulnerabilities

      Hi,

      we have the assessment type "Manually Unblocked" which we have assigned to some vulnerabilities a while ago. Now we noticed that only 5-6 vulnerabilities are having this assessment even though we assigned it to more than that. How is this possible? ( ProGet 2022.29)
      3863a446-8426-4a4d-a510-820250b3dcf1-image.png
      Further, after upgrading to ProGet 2023 on a test server (which is an exact copy of our live system) 0 vulnerabilities had this assessment. Somehow this information got lost. Is this already a known problem? Or is this behavior intentional?

      Thanks

      posted in Support
      C
      caterina
    • Wrong version shown in Usage&Statistics

      Looking at the Usage&Statistic of a package, we can see the Latest Version of a consumer.
      We noticed that the Latest Version is not the highest version of a consumer, but the latest version uploaded.
      E.g.: We uploaded a project in version 2.0.0 and 2.0.0 is shown as Latest Version in its dependencies. Afterwards we had to upload a fix from a branch in version 1.6.1. Now 1.6.1 is shown as Latest Versions in the same dependencies.
      One could assume that only versions below 1.6.1 are affected if a vulnerability is found in the package.

      Could anybody else observe this behavior? Is it supposed to work this way?

      posted in Support
      C
      caterina
    • 1
    • 2
    • 2 / 2