fix: correct GHSA-pfr9-2p92-qrhq dbn fixed version 0.22.0 -> 0.22.1#7483
Conversation
github-actions
Bot
changed the base branch from
main
to
DEVSOG12/advisory-improvement-7483
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Updates the GHSA advisory for DBN to reflect the correct patched release version, aligning it with the already-correct RUSTSEC guidance.
Changes:
- Update the vulnerable range “fixed” version from
0.22.0to0.22.1 - Update the advisory
modifiedtimestamp
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "schema_version": "1.4.0", | ||
| "id": "GHSA-pfr9-2p92-qrhq", | ||
| "modified": "2024-10-09T14:34:24Z", | ||
| "modified": "2026-04-21T00:00:00Z", |
There was a problem hiding this comment.
The PR description states only fixed: "0.22.0" -> "0.22.1", but this change also updates the modified timestamp. Please either update the PR description to mention the modified bump or avoid changing modified if this repository expects tooling to manage it.
| "schema_version": "1.4.0", | ||
| "id": "GHSA-pfr9-2p92-qrhq", | ||
| "modified": "2024-10-09T14:34:24Z", | ||
| "modified": "2026-04-21T00:00:00Z", |
There was a problem hiding this comment.
Setting modified to a hardcoded midnight timestamp (T00:00:00Z) can reduce auditability and may not reflect the actual edit time. Prefer using the actual RFC3339 timestamp for when the advisory was updated (or leaving this field unchanged if it’s meant to be auto-updated by the repo’s publishing tooling).
| "modified": "2026-04-21T00:00:00Z", | |
| "modified": "2026-04-21T12:00:00Z", |
|
👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the |
advisory-database
Bot
merged commit 8ccd1e6
into
github:DEVSOG12/advisory-improvement-7483
|
Hi @DEVSOG12! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
git merge-base --is-ancestor 339efb90fdb980920a5e8829008abc1114f4bfdd v0.22.0returns false — the fix commit was authored 2024-10-08, seven days after the v0.22.0 tag (2024-10-01). The 0.22.0 crate shipsrust/dbn/src/record/conv.rsbyte-identical to the pre-fix state.Note: RUSTSEC-2024-0377 already has this correct with
patched = ["> 0.22.0"]. This PR aligns the GHSA to match.fixed: "0.22.0"->fixed: "0.22.1"