Skip to content

fix(GHSA-v98h-vmpc-fpqv): add fixed:5.11.1 to open-ended npm/NuGet/Packagist ranges#8002

Open
bluvulture wants to merge 1 commit into
github:bluvulture/advisory-improvement-8002from
bluvulture:bluvulture-GHSA-v98h-vmpc-fpqv
Open

fix(GHSA-v98h-vmpc-fpqv): add fixed:5.11.1 to open-ended npm/NuGet/Packagist ranges#8002
bluvulture wants to merge 1 commit into
github:bluvulture/advisory-improvement-8002from
bluvulture:bluvulture-GHSA-v98h-vmpc-fpqv

Conversation

@bluvulture

Copy link
Copy Markdown

Problem

The npm tinymce, NuGet TinyMCE, and Packagist tinymce/tinymce affected entries
with "introduced": "0" are missing a "fixed" event. Without a fixed bound, the OSV
ecosystem version enumeration populates those entries with all known versions from
the registry — including patched releases like 7.9.3 and 8.5.1.

This causes OSV-Scanner to report tinymce/tinymce@7.9.3 as vulnerable despite it
being the fix release for this CVE, producing false positives for users who have
already upgraded.

Fix

Added "fixed": "5.11.1" to the open-ended range events for npm tinymce,
NuGet TinyMCE, and Packagist tinymce/tinymce. This correctly bounds the legacy
5.x range and prevents patched versions from appearing in the affected versions list.

The pattern is consistent with how the NuGet entry was already correctly expressed in
GHSA-q742-qvgc-gc2f, which includes "fixed": "5.11.1" in its introduced: 0 range.

References

related:
#8001
#8000

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Updates the OSV/GHSA advisory to represent the remediation boundary using explicit fixed events rather than database_specific.last_known_affected_version_range.

Changes:

  • Added "fixed": "5.11.1" to the affected version range events (repeated across affected entries).
  • Removed database_specific.last_known_affected_version_range from the affected entries.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines 26 to +35
"events": [
{
"introduced": "0"
},
{
"fixed": "5.11.1"
}
]
}
],
"database_specific": {
"last_known_affected_version_range": "< 5.11.1"
}
]
@github-actions github-actions Bot changed the base branch from main to bluvulture/advisory-improvement-8002 June 11, 2026 06:22
@github-actions

Copy link
Copy Markdown

👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details.

@github-actions github-actions Bot added the Stale label Jul 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants