Describe the bug
I have a PR that upgrades our application from Nokogiri v1.18.2 to v1.18.3 to address the recent CVE. However, in that PR the dependency review action is reporting v1.18.3 as vulnerable despite it being the patched version. (logs)
GHSA-vvfq-8hwr-qm4m
I suppose this could be some issue with the CVE report on Nokogiri's end but their "v1.18.3 is the patched version" part looks fine and they seem pretty well versed with the CVE system based on their last couple releases.
Expected behavior
No warning as the gem in question is being bumped to the patched version.
Screenshots
Action version
v4.5.0 (latest)
Examples
I don't have any examples but imagine any PR bumping Nokogiri to v1.18.3 will run into this issue.
Additional context
None 🙇♂
Describe the bug
I have a PR that upgrades our application from Nokogiri v1.18.2 to v1.18.3 to address the recent CVE. However, in that PR the dependency review action is reporting v1.18.3 as vulnerable despite it being the patched version. (logs)
GHSA-vvfq-8hwr-qm4m
I suppose this could be some issue with the CVE report on Nokogiri's end but their "v1.18.3 is the patched version" part looks fine and they seem pretty well versed with the CVE system based on their last couple releases.
Expected behavior
No warning as the gem in question is being bumped to the patched version.
Screenshots
Action version
v4.5.0 (latest)
Examples
I don't have any examples but imagine any PR bumping Nokogiri to v1.18.3 will run into this issue.
Additional context
None 🙇♂