Correcting GHSA-q36x-r5x4-h4q6 Advisory

[awsactran]

Hello there,

It seems that the following security advisories contain malformed affected version ranges.

GHSA-q36x-r5x4-h4q6
GHSA-ccw9-q5h2-8c2w

Suggested version range:

# For GHSA-q36x-r5x4-h4q6
>= 1.0.0, < 1.2.0

# For GHSA-ccw9-q5h2-8c2w
>= 1.0.0, < 1.19.2

Reference:
GHSA-q36x-r5x4-h4q6
GHSA-ccw9-q5h2-8c2w

[Lukasa]

In what sense are they malformed? Is there a specification for these?

[awsactran]

The ones that are within Apple repository seem to be malformed in the sense of unclear range. They are, however, mapped correctly when published to reviewed GHSA.

For example, GHSA-q36x-r5x4-h4q6 mentions the affected version as 1.0.0..<1.20 which seems to be malformed in terms of range indication. Double dots here might not be honored by consumers.

On GHSA end, it got corrected by GHSA team during their review to >= 1.0.0, < 1.2.0

[Lukasa]

Yeah, I see the change occurred. My question remains: in what sense is this malformed? Is there a specification somewhere of what is valid to put in that box?