fix(vulnerabilities): do not force exact patch version for PyPI datas…

…ource in GitHub alerts (#29586)
renovatebot · Jun 11, 2024 · 38ce2ec · 38ce2ec
1 parent e6b04da
commit 38ce2ec
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/lib/workers/repository/init/__snapshots__/vulnerability.spec.ts.snap b/lib/workers/repository/init/__snapshots__/vulnerability.spec.ts.snap
@@ -108,7 +108,7 @@ An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2
 exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() returns pip alerts 1`] = `
 [
   {
-    "allowedVersions": "==2.2.1.0",
+    "allowedVersions": ">=2.2.1.0",
     "force": {
       "branchTopic": "{{{datasource}}}-{{{depName}}}-vulnerability",
       "commitMessageSuffix": "[SECURITY]",

diff --git a/lib/workers/repository/init/vulnerability.ts b/lib/workers/repository/init/vulnerability.ts
@@ -207,7 +207,7 @@ export async function detectVulnerabilityAlerts(
           // TODO: types (#22198)
           const allowedVersions =
             datasource === PypiDatasource.id
-              ? `==${val.firstPatchedVersion!}`
+              ? `>=${val.firstPatchedVersion!}`
               : val.firstPatchedVersion;
           const matchFileNames =
             datasource === GoDatasource.id