Skip to content

feat: add no-fix-available regression fixture (#528)#772

Open
Ayush7614 wants to merge 1 commit into
OWASP:mainfrom
Ayush7614:feat/no-fix-available
Open

feat: add no-fix-available regression fixture (#528)#772
Ayush7614 wants to merge 1 commit into
OWASP:mainfrom
Ayush7614:feat/no-fix-available

Conversation

@Ayush7614

@Ayush7614 Ayush7614 commented Jun 30, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Adds examples/no-fix-available/ for discussion Help wanted: edge case lockfile fixtures for regression testing #528 fixture 8
  • html-minifier@4.0.0 is the latest published version, still vulnerable, with no OSV fixed-version hint
  • Scanner must report ⚠ no fix and must not suggest a misleading install/update command
  • Regression test in tests/fixture-scan.test.ts with negative guards

Scan output

node dist/index.js examples/no-fix-available --verbose

Produces:

  • 1 high finding: html-minifier@4.0.0 with ⚠ no fix (GHSA-pfq8-rq6v-vf5m)
  • No auto-fix command — skipped with: No published versions above 4.0.0 were found for html-minifier.

Test plan

  • npm test -- tests/fixture-scan.test.ts -t no-fix-available
  • node dist/index.js examples/no-fix-available --verbose

Closes fixture 8 from #528

Craft a minimal html-minifier@4.0.0 lockfile where the latest published
version is still vulnerable and OSV provides no fixed-version hint —
scanner must report ⚠ no fix and skip misleading install/update commands.
@Ayush7614 Ayush7614 requested a review from sonukapoor as a code owner June 30, 2026 14:15
@Ayush7614

Copy link
Copy Markdown
Collaborator Author

cc: @sonukapoor

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant