Querying Vulnerabilities for Particular Version Ranges

[giftcup]

How would you query for vulnerabilities that are related to a range of versions for of an npm package?

For example, if you have a package listed as follows; "@apollo/client": "^3.0.0" in the package.json file, how would you query for all vulnerabilities that are related to the package's versions using the OSV api?

[michaelkedar]

Hi,
Currently, we don't support querying version ranges directly in the API. Generally, we expect people to be looking for vulnerabilities in installed package, so you could query the installed version in the package-lock.json file.

If you need to query the version range, you can omit the version field in the query API request to get every vulnerability that affects any version of the package, then manually parse the affected.ranges fields for matches of the version range.
So the query for your example would be simply:

{
  "package": {
    "name": "@apollo/client",
    "ecosystem": "npm"
  }
}

May I ask what your use-case is that you need to do this?

[andrewpollock]

@giftcup circling back on the request for more detail on your particular use case

[giftcup]

I was trying to build a tool that would detect vulnerable packages in a package.json file without creating the package-lock.json. I thought I could query the package with the version ranges like those listed on a package.json file.

Sorry for the late reply.

[andrewpollock]

Disclaimer: I'm fairly ignorant about NPM, and I'm basing this on the most convenient package.json file I have available:

osv.dev/gcp/appengine/frontend3/package.json

Lines 1 to 39 in 2c31244

	{
	"name": "frontend3",
	"version": "0.0.0",
	"private": true,
	"scripts": {
	"watch": "webpack --config webpack.dev.js --watch",
	"start": "webpack serve --config webpack.dev.js",
	"build": "webpack --config webpack.dev.js",
	"build:prod": "webpack --config webpack.prod.js"
	},
	"dependencies": {
	"@github/clipboard-copy-element": "1.3.0",
	"@github/relative-time-element": "4.4.2",
	"@hotwired/turbo": "7.3.0",
	"@material/data-table": "13.0.0",
	"@material/layout-grid": "13.0.0",
	"@material/mwc-circular-progress": "0.27.0",
	"@material/mwc-icon": "0.27.0",
	"@material/mwc-icon-button": "0.27.0",
	"@material/mwc-textfield": "0.27.0",
	"@material/theme": "13.0.0",
	"lit": "2.8.0",
	"spicy-sections": "git+https://github.com/tabvengers/spicy-sections.git#c3aae99dbf1e627cdf03a35c913d7f6e970de22b"
	},
	"devDependencies": {
	"copy-webpack-plugin": "10.2.4",
	"css-loader": "6.11.0",
	"html-webpack-plugin": "5.6.0",
	"mini-css-extract-plugin": "2.9.0",
	"raw-loader": "4.0.2",
	"sass": "1.77.5",
	"sass-loader": "12.6.0",
	"style-loader": "3.3.4",
	"webpack": "5.92.0",
	"webpack-bundle-analyzer": "4.10.2",
	"webpack-cli": "4.10.0",
	"webpack-dev-server": "4.15.2"
	}
	}

Can you not simply call the OSV API with the package and versions present here?

e.g.

$ curl -d \
  '{"version": "1.3.0",
    "package": {"name": "@github/clipboard-copy-element", "ecosystem": "npm"}}' \
  "https://api.osv.dev/v1/query"

@giftcup You've mentioned "ranges" (plural) here, but I'm not seeing how you'd have more than a single version to be querying for? Do you have a package.json file example you can provide?