Remove upper bound for AngularJS vulnerabilities (!27715) · Merge requests · GitLab.org / security-products / advisory-database

Matthias Schoettle requested to merge mschoettle/gemnasium-db:update-angularjs into master Apr 04, 2024

This is a follow-up for MR Update version ranges for AngularJS vulnerabili... (!27657 - merged) (see discussion: !27657 (comment 1836988522)).

I'd like to propose to remove the upper bound (<= 1.8.3) for the AngularJS vulnerabilities.

The rationale is that as a user I would rather get the vulnerability(ies) reported (show up in the vulnerability report) and manually check whether they apply or not as it is more explicit. For instance, if an LTS version is used it would help in identifying the version that fixes the vulnerability and updating to it (if possible). For example, a dependency using a LTS version could be at a hypothetical version 1.8.4 and 1.8.5 fixes a newly found vulnerability. Without this showing up in the report it could potentially be missed (although keeping dependencies up to date would avoid it too).

I am ok if this is rejected but still wanted to try and propose this.

Edited Apr 04, 2024 by Matthias Schoettle

Remove upper bound for AngularJS vulnerabilities

Merge request reports