Describe the issue
It is currently possible to have commits prior to HEAD of an incoming branch merged into main that contain vulnerabilities
minder seemingly does not evaluate all commits in a diff allowing for a commit with a vulnerable version to be included when merging a PR.
Although this wont cause HEAD of main (or the target) to have a vulnerability pulled in, there should be checks against being able to introduce any commits onto main that include unsafe dependencies.
To Reproduce
- Create a branch off of main
- Change a dependency's version to include a vulnerability and commit (commit A)
- Change this dependency back to a safe version in a new commit (commit B)
- Create a PR and see how
minder will evaluate this as safe despite commit A being present and potentially introducing a vulnerability to the version history
What version are you using?
No response
Describe the issue
It is currently possible to have commits prior to HEAD of an incoming branch merged into
mainthat contain vulnerabilitiesminderseemingly does not evaluate all commits in a diff allowing for a commit with a vulnerable version to be included when merging a PR.Although this wont cause HEAD of
main(or the target) to have a vulnerability pulled in, there should be checks against being able to introduce any commits ontomainthat include unsafe dependencies.To Reproduce
minderwill evaluate this as safe despite commit A being present and potentially introducing a vulnerability to the version historyWhat version are you using?
No response