Skip to content

Conversation

@kraenhansen
Copy link
Contributor

Description

Removing the expires field as per https://docs.snyk.io/manage-risk/policies/the-.snyk-file#set-vulnerability-ignore-rules as it just expired and expect the reason stated to be very unlikely to change in the future.

Checklist

  • New tests and/or benchmarks are included
  • Documentation is changed or added
  • If this change updates the UI, screenshots/videos are added and a design review is requested
  • I have signed the MongoDB Contributor License Agreement (https://www.mongodb.com/legal/contributor-agreement)

Motivation and Context

  • Bugfix
  • New feature
  • Dependency update
  • Misc

Open Questions

Dependents

Types of changes

  • Backport Needed
  • Patch (non-breaking change which fixes an issue)
  • Minor (non-breaking change which adds functionality)
  • Major (fix or feature that would cause existing functionality to change)

@kraenhansen kraenhansen self-assigned this Sep 19, 2025
@kraenhansen kraenhansen requested a review from a team as a code owner September 19, 2025 09:27
@kraenhansen kraenhansen added the no release notes Fix or feature not for release notes label Sep 19, 2025
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Removes the expires timestamps from two Snyk vulnerability ignore rules to make them indefinite, aligning with the stated rationale that the justification is unlikely to change.

  • Removed expires fields for two ag-grid related ignore entries
  • Leaves ignores indefinite with only reason and created metadata

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

Comment on lines 9 to 15
function
expires: 2025-09-17T13:05:57.065Z
created: 2024-01-18T18:27:24.353Z
SNYK-JS-AGGRIDCOMMUNITY-7414157:
- '*':
reason: >-
Not applicable as we don't use ag-grid utils and the library never
passes user input directly to the merge function
Copy link

Copilot AI Sep 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removing the expires field makes this ignore permanent; without a scheduled re-evaluation, a future change in usage (e.g., introduction of valueFormatter/cellRenderer) could leave a real vulnerability suppressed. Consider retaining an expires field (even if far in the future) or adding an explicit periodic review process annotation to ensure continued validity.

Copilot uses AI. Check for mistakes.

- '*':
reason: >-
Not applicable as we don't use ag-grid utils and the library never
passes user input directly to the merge function
Copy link

Copilot AI Sep 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This ignore entry is now indefinite; if future code begins using ag-grid utils or passes user-influenced data into merge, the suppressed issue would remain hidden. Recommend reinstating an expires timestamp or adding a documented review note to mitigate the risk of stale ignores.

Suggested change
passes user input directly to the merge function
passes user input directly to the merge function
expires: 2025-03-17T13:05:57.071Z

Copilot uses AI. Check for mistakes.

@kraenhansen kraenhansen merged commit 99d4e4c into main Sep 19, 2025
62 checks passed
@kraenhansen kraenhansen deleted the kh/snyk-no-expire-aggrid branch September 19, 2025 12:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

no release notes Fix or feature not for release notes

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants