Summary
The How Remediation Works page covers the scenario where the same package is installed at two different versions through two different intermediate parents. It does not cover the related but distinct scenario where one version is a direct dependency and a different (older, vulnerable) version is also installed transitively through unrelated packages.
Scenario to document
Example: a project declares uuid@14.0.0 as a direct dependency. Three other packages (@compodoc/live-server, nyc, codecov) each pull in uuid@8.3.2 transitively. The lockfile contains both versions.
Key points to explain:
- The two versions are independent installs — one direct, one transitive
- The fix for the transitive
uuid@8.3.2 is a parent upgrade through one of the three intermediate packages, not npm install uuid@9.0.0
- Running
npm install uuid@9.0.0 would be wrong — it would install a third version and conflict with the declared uuid@14.0.0
- CVE Lite CLI should classify each version independently by checking whether the specific installed version is the declared direct dependency
Related
Discovered while scanning compodoc — tracked as bug #553.
Summary
The How Remediation Works page covers the scenario where the same package is installed at two different versions through two different intermediate parents. It does not cover the related but distinct scenario where one version is a direct dependency and a different (older, vulnerable) version is also installed transitively through unrelated packages.
Scenario to document
Example: a project declares
uuid@14.0.0as a direct dependency. Three other packages (@compodoc/live-server,nyc,codecov) each pull inuuid@8.3.2transitively. The lockfile contains both versions.Key points to explain:
uuid@8.3.2is a parent upgrade through one of the three intermediate packages, notnpm install uuid@9.0.0npm install uuid@9.0.0would be wrong — it would install a third version and conflict with the declareduuid@14.0.0Related
Discovered while scanning compodoc — tracked as bug #553.