diff --git a/src/commands/fix/npm-fix.mts b/src/commands/fix/npm-fix.mts index db4bd0ef3..586e819cb 100644 --- a/src/commands/fix/npm-fix.mts +++ b/src/commands/fix/npm-fix.mts @@ -327,16 +327,26 @@ export async function npmFix( firstPatchedVersionIdentifier, vulnerableVersionRange, } of infos.values()) { - if (semver.gte(oldVersion, firstPatchedVersionIdentifier)) { - debugFn(`skip: ${oldId} is >= ${firstPatchedVersionIdentifier}`) - continue infosLoop - } const newVersion = findBestPatchVersion( node, availableVersions, vulnerableVersionRange, - firstPatchedVersionIdentifier, ) + const newVersionPackument = newVersion + ? packument.versions[newVersion] + : undefined + + if (!(newVersion && newVersionPackument)) { + warningsForAfter.add( + `${oldId} not updated: requires >=${firstPatchedVersionIdentifier}`, + ) + continue infosLoop + } + + if (semver.gte(oldVersion, newVersion)) { + debugFn(`skip: ${oldId} is >= ${newVersion}`) + continue infosLoop + } if ( activeBranches.find( @@ -353,17 +363,6 @@ export async function npmFix( continue infosLoop } - const newVersionPackument = newVersion - ? packument.versions[newVersion] - : undefined - - if (!(newVersion && newVersionPackument)) { - warningsForAfter.add( - `${oldId} not updated: requires >=${firstPatchedVersionIdentifier}`, - ) - continue infosLoop - } - const newVersionRange = applyRange(oldVersion, newVersion, rangeStyle) const newId = `${name}@${newVersionRange}` diff --git a/src/commands/fix/pnpm-fix.mts b/src/commands/fix/pnpm-fix.mts index e2dbb3061..d2db064d8 100644 --- a/src/commands/fix/pnpm-fix.mts +++ b/src/commands/fix/pnpm-fix.mts @@ -435,17 +435,26 @@ export async function pnpmFix( firstPatchedVersionIdentifier, vulnerableVersionRange, } of infos) { - if (semver.gte(oldVersion, firstPatchedVersionIdentifier)) { - debugFn(`skip: ${oldId} is >= ${firstPatchedVersionIdentifier}`) - continue infosLoop - } - const newVersion = findBestPatchVersion( node, availableVersions, vulnerableVersionRange, - firstPatchedVersionIdentifier, ) + const newVersionPackument = newVersion + ? packument.versions[newVersion] + : undefined + + if (!(newVersion && newVersionPackument)) { + warningsForAfter.add( + `${oldId} not updated: requires >=${firstPatchedVersionIdentifier}`, + ) + continue infosLoop + } + + if (semver.gte(oldVersion, newVersion)) { + debugFn(`skip: ${oldId} is >= ${newVersion}`) + continue infosLoop + } if ( activeBranches.find( @@ -462,17 +471,6 @@ export async function pnpmFix( continue infosLoop } - const newVersionPackument = newVersion - ? packument.versions[newVersion] - : undefined - - if (!(newVersion && newVersionPackument)) { - warningsForAfter.add( - `${oldId} not updated: requires >=${firstPatchedVersionIdentifier}`, - ) - continue infosLoop - } - const overrideKey = `${name}@${vulnerableVersionRange}` const newVersionRange = applyRange( oldOverrides?.[overrideKey] ?? oldVersion, diff --git a/src/shadow/npm/arborist-helpers.mts b/src/shadow/npm/arborist-helpers.mts index 1e53d5089..e56e3a02e 100644 --- a/src/shadow/npm/arborist-helpers.mts +++ b/src/shadow/npm/arborist-helpers.mts @@ -45,7 +45,6 @@ export function findBestPatchVersion( node: NodeClass, availableVersions: string[], vulnerableVersionRange?: string, - _firstPatchedVersionIdentifier?: string | undefined, ): string | null { const manifestData = getManifestData(NPM, node.name) let eligibleVersions