I’ve had a difficult relationship with security alerts. On one hand, I’m excited because open source software is safe and secure. On the other, they often include incorrect information or miss nuances in the development process.
Story time! Very recently, my open source project was being alerted about a Common Vulnerabilities and Exposures (or CVE for short) up the dependency tree. After doing some digging, I found out that the author actually backported the fix to older versions and made new releases. However, the software presenting the CVE didn’t take those new releases into account. The author had to email back-and-forth with the maintainers of that software to get the report applied correctly.
We hope these types of things won’t happen with Tidelift, but we also accept that mistakes will be made on occasion.
To alleviate this, lifters are now allowed to make edits to security alerts against their project! Was the security alert flagged for the wrong versions? Now you can update for the correct range. Is there an alert that doesn’t affect your usage of a development dependency? Let our subscribers know they are still safe!
Check out this awesome GIF by our engineering team to see how it works.
Have a great weekend!