GHSA-4hmj-39m8-jwc7 record stale - upstream GHSA fix merged 2026-04-24 not reflected

[simon-reisinger-dynatrace]

Describe the bug
The advisory data shown for GHSA-4hmj-39m8-jwc7 on OSV is out of date and does not reflect the corrected information published in the GHSA. Specifically, an invalid CVSS:4.0 vector string (containing a trailing / separator) was corrected and merged into the GHSA on April 24, 2026. The corrected advisory is now displayed correctly on GHSA but OSV still shows the old, invalid data (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/).

To Reproduce
Steps to reproduce the behaviour:

1. Open the corrected upstream advisory at GHSA-4hmj-39m8-jwc7 and note the CVSS:4.0 vector string ends with ...SI:N/SA:N (no trailing /)
2. Open the OSV record at https://osv.dev/vulnerability/GHSA-4hmj-39m8-jwc7
3. Compare the severity data shown on OSV with the upstream GHSA record
4. Observe that OSV still displays the pre-fix data (invalid CVSS:4.0 vector with the trailing /), even though the upstream fix was merged on 2026-04-24.

Expected behaviour
Per the documented SLO, the OSV record should reflect the upstream GHSA content within 15 minutes of the upstream change. The OSV page for GHSA-4hmj-39m8-jwc7 should therefore show the corrected CVSS:4.0 vector (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N)

[jess-lowe]

The underlying record in GHSA still shows the '/', which is likely why it hasn't been updated.

[jess-lowe]

It seems like the fix was not merged into main, hence it didn't get propagated.

[simon-reisinger-dynatrace]

I would assume this is also related to github/advisory-database#7587.