fix(nodejs): don't use prerelease logic for compare npm constraints (#9208)

2025-12-12 15:50:15 -08:00 · 2025-07-17 12:40:44 +06:00
parent 6fafbeb606
commit fe96436b99
4 changed files with 21 additions and 6 deletions
--- a/go.mod
+++ b/go.mod
@@ -16,7 +16,7 @@ require (
 	github.com/apparentlymart/go-cidr v1.1.0
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
-	github.com/aquasecurity/go-npm-version v0.0.1
+	github.com/aquasecurity/go-npm-version v0.0.2
 	github.com/aquasecurity/go-pep440-version v0.0.1
 	github.com/aquasecurity/go-version v0.0.1
 	github.com/aquasecurity/iamgo v0.0.10
--- a/go.sum
+++ b/go.sum
@@ -810,8 +810,8 @@ github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30
 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce/go.mod h1:HXgVzOPvXhVGLJs4ZKO817idqr/xhwsTcj17CLYY74s=
-github.com/aquasecurity/go-npm-version v0.0.1 h1:2i/MM+A4KI8AJrqJa/Cwsa4qyljA8S/qngPyQiIVHcA=
-github.com/aquasecurity/go-npm-version v0.0.1/go.mod h1:hxbJZtKlO4P8sZ9nztizR6XLoE33O+BkPmuYQ4ACyz0=
+github.com/aquasecurity/go-npm-version v0.0.2 h1:6sNIaeW4Hw8Xg51nPoD3VSo/5qmFSu0VL809iehEOvc=
+github.com/aquasecurity/go-npm-version v0.0.2/go.mod h1:DXyKqRe2yb83peANMjQr8dGDkHanEgoFv8BOQdWlSUQ=
 github.com/aquasecurity/go-pep440-version v0.0.1 h1:8VKKQtH2aV61+0hovZS3T//rUF+6GDn18paFTVS0h0M=
 github.com/aquasecurity/go-pep440-version v0.0.1/go.mod h1:3naPe+Bp6wi3n4l5iBFCZgS0JG8vY6FT0H4NGhFJ+i4=
 github.com/aquasecurity/go-version v0.0.0-20201107203531-5e48ac5d022a/go.mod h1:9Beu8XsUNNfzml7WBf3QmyPToP1wm1Gj/Vc5UJKqTzU=
--- a/pkg/detector/library/compare/npm/compare.go
+++ b/pkg/detector/library/compare/npm/compare.go
@@ -23,7 +23,7 @@ func (n Comparer) MatchVersion(currentVersion, constraint string) (bool, error)
 		return false, xerrors.Errorf("npm version error (%s): %s", currentVersion, err)
 	}

-	c, err := npm.NewConstraints(constraint)
+	c, err := npm.NewConstraints(constraint, npm.WithPreRelease(true))
 	if err != nil {
 		return false, xerrors.Errorf("npm constraint error (%s): %s", constraint, err)
 	}
--- a/pkg/detector/library/compare/npm/compare_test.go
+++ b/pkg/detector/library/compare/npm/compare_test.go
@@ -30,6 +30,17 @@ func TestNpmComparer_IsVulnerable(t *testing.T) {
 			},
 			want: true,
 		},
+		{
+			name: "prerelease",
+			args: args{
+				currentVersion: "1.45.1-lts.1",
+				advisory: dbTypes.Advisory{
+					VulnerableVersions: []string{">=1.4.4-lts.1, <2.0.0"},
+					PatchedVersions:    []string{"2.0.0"},
+				},
+			},
+			want: true,
+		},
 		{
 			name: "no patch",
 			args: args{
@@ -68,8 +79,12 @@ func TestNpmComparer_IsVulnerable(t *testing.T) {
 			args: args{
 				currentVersion: "2.0.0",
 				advisory: dbTypes.Advisory{
-					VulnerableVersions: []string{">=1.7.0 <1.7.16", ">=1.8.0 <1.8.8", ">=2.0.0 <2.0.8", ">=3.0.0-beta.1 <3.0.0-beta.7"},
-					PatchedVersions:    []string{">=3.0.0-beta.7", ">=2.0.8 <3.0.0-beta.1", ">=1.8.8 <2.0.0", ">=1.7.16 <1.8.0"},
+					VulnerableVersions: []string{
+						">=1.7.0 <1.7.16", ">=1.8.0 <1.8.8", ">=2.0.0 <2.0.8", ">=3.0.0-beta.1 <3.0.0-beta.7",
+					},
+					PatchedVersions: []string{
+						">=3.0.0-beta.7", ">=2.0.8 <3.0.0-beta.1", ">=1.8.8 <2.0.0", ">=1.7.16 <1.8.0",
+					},
 				},
 			},
 			want: true,