multiple GHSA CVEs with patched versions in affected list

Some OSV json files containing GitHub advisories available via `www.googleapis.com` seem to include the patched versions in the affected versions list. I have included two examples containing this issue below:

- Advisory [GHSA-58c5-g7wp-6w37](https://github.com/advisories/GHSA-58c5-g7wp-6w37)
  [OSV JSON file from googleapis](https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/GIT%2FCVE-2025-66035.json?alt=media)
 Patched versions 19.2.16, 20.3.14, and 21.0.1 are included in the affected versions list.
- Advisory [GHSA-rchf-xwx2-hm93](https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-rchf-xwx2-hm93/GHSA-rchf-xwx2-hm93.json) 
  [OSV JSON file from googleapis](https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/GIT%2FCVE-2025-68475.json?alt=media). 
 Patched versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2 are included in the affected versions list

The references list in the JSON files do contain urls linking to the patched releases, so the information to correctly parse the fixed versions was avaiable. Is this an issue with OSV, or with GHSA? Or is the information avaiable via `googleapis` not up to date?
The files available via `https://api.osv.dev/` do denote the right fixed versions.

Thank you in advance,

Tom

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

multiple GHSA CVEs with patched versions in affected list #5184

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

multiple GHSA CVEs with patched versions in affected list #5184

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions