Advisory Metadata Mismatch Report
Summary
GHSA-84m3-f99p-cqx5 claims executorch==0.7.0 is the fixed version. However, the released artifact on PyPI ships runtime/core/hierarchical_allocator.h and runtime/core/memory_allocator.h that are byte-identical to the pre-fix versions. The fix commit was never merged into any release tag through v1.0.1. The fix first appears in 1.1.0.
Details
| Field |
Value |
| Package |
executorch |
| Registry |
PyPI |
| Claimed fixed version |
0.7.0 |
| Advisory |
GHSA-84m3-f99p-cqx5 |
| Fix commit |
0830af820724 |
| Commit is ancestor of tag |
No (v0.7.0 through v1.0.1) |
| Truly fixed version |
1.1.0 |
Evidence
runtime/core/hierarchical_allocator.h and runtime/core/memory_allocator.h in the 0.7.0 artifact match the pre-fix state. The fix commit exists only on a cherry-pick branch; the equivalent fix on main landed in v1.1.0.
Recommendation
Update the advisory to correct the fixed version to 1.1.0.
Advisory Metadata Mismatch Report
Summary
GHSA-84m3-f99p-cqx5 claims executorch==0.7.0 is the fixed version. However, the released artifact on PyPI ships
runtime/core/hierarchical_allocator.handruntime/core/memory_allocator.hthat are byte-identical to the pre-fix versions. The fix commit was never merged into any release tag through v1.0.1. The fix first appears in 1.1.0.Details
Evidence
runtime/core/hierarchical_allocator.handruntime/core/memory_allocator.hin the 0.7.0 artifact match the pre-fix state. The fix commit exists only on a cherry-pick branch; the equivalent fix on main landed in v1.1.0.Recommendation
Update the advisory to correct the fixed version to 1.1.0.