feat: show fix version publish date in terminal and HTML output.#700
feat: show fix version publish date in terminal and HTML output.#700coder-Yash886 wants to merge 1 commit into
Conversation
coder-Yash886
force-pushed
the
feat/fix-version-publish-date
branch
from
c209f87 to
b5a2994
Compare
|
@sonukapoor Please review the PR when you have free time |
sonukapoor
left a comment
sonukapoor
left a comment
There was a problem hiding this comment.
Nice feature - the core implementation is solid, the HTML copy button correctly omits the date, and the cache loading is properly defensive. Two things worth addressing before merge.
| target => `${target.package} published ${formatFixVersionPublishDate(target.fixVersionPublishedAt!)}`, | ||
| ); | ||
| return ` (${parts.join(", ")})`; | ||
| } |
There was a problem hiding this comment.
The single vs multi-package format ends up inconsistent - for one target you get (published 2021-02-20) but for two targets you get (lodash published 2021-02-20, express published 2022-01-15). The package name appears in the multi case but not the single one. Could you unify these? Either always include the package name, or put each date on its own indented line below the command for the multi-package case. There is also no test covering the multi-package path - worth adding one.
| } | ||
| }); | ||
|
|
||
| it("sets maliciousUnverifiable when MAL- advisory matches a package from a private registry", async () => { |
There was a problem hiding this comment.
One edge case not covered: offline mode. The spec mentions silent skip for --offline but there is no test confirming fixVersionPublishedAt stays null when offline. The code path is already gated behind if (!offline) in scanner.ts so the behavior is correct - a test would just document the intent explicitly.
2 participants
Closes #671
Summary
When CVE Lite recommends a fix version, it now shows when that version was published on npm. Teams using minimum release age policies (e.g. rejecting packages published less than N days ago) can judge supply-chain risk inline without checking the registry manually.
Example terminal / HTML output:
Changes
Added fixVersionPublishedAt?: string | null to Finding — stores the raw ISO timestamp from npm
Fetch publish date from GET https://registry.npmjs.org/ → time[version] after validatedFirstFixedVersion is confirmed in validateDirectFixTargets()
Persist results in the existing OSV cache file under npmVersionEntries, keyed by package@version
Display formatted as YYYY-MM-DD at render time in:
src/output/printers.ts — fix command callouts
src/output/html-reporter.ts — suggested fix plan section
Pass publish date through SuggestedFixTarget in the fix command plan
Edge cases (silent skip — no date shown)
Package not on npm (private registry, workspace package)
Network error or offline mode
Version missing from the npm time map
Motivation
Surfaced by a DINUM (French government) user running CVE Lite with a pre-commit hook and a minimum release age policy. For CRITICAL/HIGH CVEs with a young fix, teams can weigh exploit risk vs supply-chain risk; for LOW/MEDIUM, they can wait for the fix to age before upgrading.
Test plan
npm test — 286 tests pass (3 new tests added)
npm run build — TypeScript compiles cleanly
Scan a project with a known CVE (e.g. old lodash) and confirm (published YYYY-MM-DD) appears next to the fix command
Open HTML report (--report) and verify publish date shows in the fix plan; Copy button copies command without the date
Offline scan (--offline) — no publish date, no errors
Re-scan same project — publish date served from cache (no extra registry calls for same package@version)