fix(nodejs): don't use prerelease logic for compare npm constraints #9208

DmitriyLewen · 2025-07-16T11:01:46Z

Description

This PR updates the NPM vulnerability comparison logic to include prerelease versions when matching constraints. The change enables proper detection of vulnerabilities in packages with prerelease versions (e.g., 1.45.1-lts.1).

Reason

GitHub advisory database don't use npm semver rules for prerelease versions - github/advisory-database#5795 (comment)
But the current implementation was not properly handling prerelease versions when evaluating vulnerability constraints. This meant that packages with prerelease versions could be incorrectly assessed as safe when they should be flagged as vulnerable.

Example

before:

➜ trivy -q rootfs package.json 

Report Summary

┌──────────────┬──────────┬─────────────────┬─────────┐
│    Target    │   Type   │ Vulnerabilities │ Secrets │
├──────────────┼──────────┼─────────────────┼─────────┤
│ package.json │ node-pkg │        0        │    -    │
└──────────────┴──────────┴─────────────────┴─────────┘

After:

➜  ./trivy -q rootfs package.json --table-mode detailed

Node.js (node-pkg)

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 3, CRITICAL: 0)

┌───────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│        Library        │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├───────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ multer (package.json) │ CVE-2025-47935 │ HIGH     │ fixed  │ 1.4.4-lts.1       │ 2.0.0         │ Multer vulnerable to Denial of Service via memory leaks from │
│                       │                │          │        │                   │               │ unclosed streams...                                          │
│                       │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-47935                   │
│                       ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│                       │ CVE-2025-47944 │          │        │                   │               │ Multer vulnerable to Denial of Service from maliciously      │
│                       │                │          │        │                   │               │ crafted requests                                             │
│                       │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-47944                   │
│                       ├────────────────┤          │        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│                       │ CVE-2025-48997 │          │        │                   │ 2.0.1         │ multer: Multer vulnerable to Denial of Service via unhandled │
│                       │                │          │        │                   │               │ exception                                                    │
│                       │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-48997                   │
└───────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

Related issues

Close bug(npm): Trivy incorrect checks versions with pre-release suffix #9144

Related PRs

feat: add WithPreRelease option go-npm-version#4

Checklist

I've read the guidelines for contributing to this repository.
I've followed the conventions in the PR title.
I've added tests that prove my fix is effective or that my feature works.
I've updated the documentation with the relevant information (if needed).
I've added usage information (if the PR introduces new options)
I've included a "before" and "after" example to the description (if the PR is a user interface change).

- Use WithPreRelease(true) for Constraints - Add test case

DmitriyLewen · 2025-07-16T11:05:39Z

go.mod

@@ -16,7 +16,7 @@ require (
 	github.com/apparentlymart/go-cidr v1.1.0
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
-	github.com/aquasecurity/go-npm-version v0.0.1
+	github.com/aquasecurity/go-npm-version v0.0.2-0.20250716070109-f686488af083


Perhaps we want to cut v0.0.2 version

Done https://github.com/aquasecurity/go-npm-version/releases/tag/v0.0.2

knqyf263 · 2025-07-16T13:43:48Z

go.mod

@@ -16,7 +16,7 @@ require (
 	github.com/apparentlymart/go-cidr v1.1.0
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
-	github.com/aquasecurity/go-npm-version v0.0.1
+	github.com/aquasecurity/go-npm-version v0.0.2-0.20250716070109-f686488af083


Done https://github.com/aquasecurity/go-npm-version/releases/tag/v0.0.2

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [mirror.gcr.io/aquasec/trivy](https://www.aquasec.com/products/trivy/) ([source](https://github.com/aquasecurity/trivy)) | minor | `0.64.1` -> `0.65.0` | --- ### Release Notes <details> <summary>aquasecurity/trivy (mirror.gcr.io/aquasec/trivy)</summary> ### [`v0.65.0`](https://github.com/aquasecurity/trivy/blob/HEAD/CHANGELOG.md#0650-2025-07-30) [Compare Source](aquasecurity/trivy@v0.64.1...v0.65.0) ##### Features - add graceful shutdown with signal handling ([#9242](aquasecurity/trivy#9242)) ([2c05882](aquasecurity/trivy@2c05882)) - add HTTP request/response tracing support ([#9125](aquasecurity/trivy#9125)) ([aa5b32a](aquasecurity/trivy@aa5b32a)) - **alma:** add AlmaLinux 10 support ([#9207](aquasecurity/trivy#9207)) ([861d51e](aquasecurity/trivy@861d51e)) - **flag:** add schema validation for `--server` flag ([#9270](aquasecurity/trivy#9270)) ([ed4640e](aquasecurity/trivy@ed4640e)) - **image:** add Docker context resolution ([#9166](aquasecurity/trivy#9166)) ([99cd4e7](aquasecurity/trivy@99cd4e7)) - **license:** observe pkg types option in license scanner ([#9091](aquasecurity/trivy#9091)) ([d44af8c](aquasecurity/trivy@d44af8c)) - **misconf:** add private ip google access attribute to subnetwork ([#9199](aquasecurity/trivy#9199)) ([263845c](aquasecurity/trivy@263845c)) - **misconf:** added logging and versioning to the gcp storage bucket ([#9226](aquasecurity/trivy#9226)) ([110f80e](aquasecurity/trivy@110f80e)) - **repo:** add git repository metadata to reports ([#9252](aquasecurity/trivy#9252)) ([f4b2cf1](aquasecurity/trivy@f4b2cf1)) - **report:** add CVSS vectors in sarif report ([#9157](aquasecurity/trivy#9157)) ([60723e6](aquasecurity/trivy@60723e6)) - **sbom:** add SHA-512 hash support for CycloneDX SBOM ([#9126](aquasecurity/trivy#9126)) ([12d6706](aquasecurity/trivy@12d6706)) ##### Bug Fixes - **alma:** parse epochs from rpmqa file ([#9101](aquasecurity/trivy#9101)) ([82db2fc](aquasecurity/trivy@82db2fc)) - also check `filepath` when removing duplicate packages ([#9142](aquasecurity/trivy#9142)) ([4d10a81](aquasecurity/trivy@4d10a81)) - **aws:** update amazon linux 2 EOL date ([#9176](aquasecurity/trivy#9176)) ([0ecfed6](aquasecurity/trivy@0ecfed6)) - **cli:** Add more non-sensitive flags to telemetry ([#9110](aquasecurity/trivy#9110)) ([7041a39](aquasecurity/trivy@7041a39)) - **cli:** ensure correct command is picked by telemetry ([#9260](aquasecurity/trivy#9260)) ([b4ad00f](aquasecurity/trivy@b4ad00f)) - **cli:** panic: attempt to get os.Args\[1] when len(os.Args) < 2 ([#9206](aquasecurity/trivy#9206)) ([adfa879](aquasecurity/trivy@adfa879)) - **license:** add missed `GFDL-NIV-1.1` and `GFDL-NIV-1.2` into Trivy mapping ([#9116](aquasecurity/trivy#9116)) ([a692f29](aquasecurity/trivy@a692f29)) - **license:** handle WITH operator for `LaxSplitLicenses` ([#9232](aquasecurity/trivy#9232)) ([b4193d0](aquasecurity/trivy@b4193d0)) - migrate from `*.list` to `*.md5sums` files for `dpkg` ([#9131](aquasecurity/trivy#9131)) ([f224de3](aquasecurity/trivy@f224de3)) - **misconf:** correctly adapt azure storage account ([#9138](aquasecurity/trivy#9138)) ([51aa022](aquasecurity/trivy@51aa022)) - **misconf:** correctly parse empty port ranges in google\_compute\_firewall ([#9237](aquasecurity/trivy#9237)) ([77bab7b](aquasecurity/trivy@77bab7b)) - **misconf:** fix log bucket in schema ([#9235](aquasecurity/trivy#9235)) ([7ebc129](aquasecurity/trivy@7ebc129)) - **misconf:** skip rewriting expr if attr is nil ([#9113](aquasecurity/trivy#9113)) ([42ccd3d](aquasecurity/trivy@42ccd3d)) - **nodejs:** don't use prerelease logic for compare npm constraints ([#9208](aquasecurity/trivy#9208)) ([fe96436](aquasecurity/trivy@fe96436)) - prevent graceful shutdown message on normal exit ([#9244](aquasecurity/trivy#9244)) ([6095984](aquasecurity/trivy@6095984)) - **rootio:** check full version to detect `root.io` packages ([#9117](aquasecurity/trivy#9117)) ([c2ddd44](aquasecurity/trivy@c2ddd44)) - **rootio:** fix severity selection ([#9181](aquasecurity/trivy#9181)) ([6fafbeb](aquasecurity/trivy@6fafbeb)) - **sbom:** merge in-graph and out-of-graph OS packages in scan results ([#9194](aquasecurity/trivy#9194)) ([aa944cc](aquasecurity/trivy@aa944cc)) - **sbom:** use correct field for licenses in CycloneDX reports ([#9057](aquasecurity/trivy#9057)) ([143da88](aquasecurity/trivy@143da88)) - **secret:** add UTF-8 validation in secret scanner to prevent protobuf marshalling errors ([#9253](aquasecurity/trivy#9253)) ([54832a7](aquasecurity/trivy@54832a7)) - **secret:** fix line numbers for multiple-line secrets ([#9104](aquasecurity/trivy#9104)) ([e579746](aquasecurity/trivy@e579746)) - **server:** add HTTP transport setup to server mode ([#9217](aquasecurity/trivy#9217)) ([1163b04](aquasecurity/trivy@1163b04)) - supporting .egg-info/METADATA in python.Packaging analyzer ([#9151](aquasecurity/trivy#9151)) ([e306e2d](aquasecurity/trivy@e306e2d)) - **terraform:** `for_each` on a map returns a resource for every key ([#9156](aquasecurity/trivy#9156)) ([153318f](aquasecurity/trivy@153318f)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).  Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/1073 Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net> Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>

…quasecurity#9208)

DmitriyLewen added 2 commits July 16, 2025 16:48

chore(deps): bump go-npm-version

f75daa3

fix(npm): use WithPreRelease:

c4f33ca

- Use WithPreRelease(true) for Constraints - Add test case

DmitriyLewen changed the title ~~fix(npm): compare~~ fix(npm): don't use prerelease logic for compare npm constraints Jul 16, 2025

DmitriyLewen changed the title ~~fix(npm): don't use prerelease logic for compare npm constraints~~ fix(node): don't use prerelease logic for compare npm constraints Jul 16, 2025

DmitriyLewen changed the title ~~fix(node): don't use prerelease logic for compare npm constraints~~ fix(nodejs): don't use prerelease logic for compare npm constraints Jul 16, 2025

DmitriyLewen commented Jul 16, 2025

View reviewed changes

DmitriyLewen marked this pull request as ready for review July 16, 2025 11:35

DmitriyLewen requested a review from knqyf263 as a code owner July 16, 2025 11:35

knqyf263 approved these changes Jul 16, 2025

View reviewed changes

chore(deps): bump go-npm-version to v0.0.2

1fce1f3

DmitriyLewen enabled auto-merge July 17, 2025 06:24

knqyf263 approved these changes Jul 17, 2025

View reviewed changes

DmitriyLewen added this pull request to the merge queue Jul 17, 2025

Merged via the queue into aquasecurity:main with commit fe96436 Jul 17, 2025
12 checks passed

DmitriyLewen deleted the fix/npm/include-prerelease branch July 17, 2025 07:00

aqua-bot mentioned this pull request Jul 17, 2025

release: v0.65.0 [main] #9108

Merged

yutatokoi pushed a commit to yutatokoi/trivy that referenced this pull request Aug 12, 2025

fix(nodejs): don't use prerelease logic for compare npm constraints (a…

80c4880

…quasecurity#9208)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix(nodejs): don't use prerelease logic for compare npm constraints #9208

fix(nodejs): don't use prerelease logic for compare npm constraints #9208

Uh oh!

DmitriyLewen commented Jul 16, 2025 •

edited

Loading

Uh oh!

DmitriyLewen Jul 16, 2025

Uh oh!

knqyf263 Jul 16, 2025

Uh oh!

knqyf263 Jul 16, 2025

Uh oh!

Uh oh!

Uh oh!

fix(nodejs): don't use prerelease logic for compare npm constraints #9208

fix(nodejs): don't use prerelease logic for compare npm constraints #9208

Uh oh!

Conversation

DmitriyLewen commented Jul 16, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description

Reason

Example

Related issues

Related PRs

Checklist

Uh oh!

DmitriyLewen Jul 16, 2025

Choose a reason for hiding this comment

Uh oh!

knqyf263 Jul 16, 2025

Choose a reason for hiding this comment

Uh oh!

knqyf263 Jul 16, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

DmitriyLewen commented Jul 16, 2025 •

edited

Loading