diff --git a/app/components/Package/VulnerabilityTree.vue b/app/components/Package/VulnerabilityTree.vue
index 9b505ea0d..52b732ba4 100644
--- a/app/components/Package/VulnerabilityTree.vue
+++ b/app/components/Package/VulnerabilityTree.vue
@@ -150,6 +150,13 @@ function getDepthStyle(depth: string | undefined) {
{{ vuln.id }}
{{ vuln.summary }}
+
+ → {{ vuln.fixedIn }}
+
a.package.ecosystem === 'npm' && a.package.name === packageName,
+ )
+ if (!packageAffected?.ranges) return undefined
+
+ // Look through ranges to find a 'fixed' event
+ for (const range of packageAffected.ranges) {
+ for (const event of range.events) {
+ if (event.fixed) {
+ return event.fixed
+ }
+ }
+ }
+
+ return undefined
+}
+
function getSeverityLevel(vuln: OsvVulnerability): OsvSeverityLevel {
const dbSeverity = vuln.database_specific?.severity?.toLowerCase()
if (dbSeverity) {
diff --git a/shared/types/dependency-analysis.ts b/shared/types/dependency-analysis.ts
index 2f768132a..a733c302e 100644
--- a/shared/types/dependency-analysis.ts
+++ b/shared/types/dependency-analysis.ts
@@ -36,6 +36,37 @@ export interface OsvReference {
url: string
}
+/**
+ * Version range event from OSV affected data
+ * @see https://ossf.github.io/osv-schema/#affectedrangesevents-fields
+ */
+export interface OsvRangeEvent {
+ introduced?: string
+ fixed?: string
+ last_affected?: string
+ limit?: string
+}
+
+/**
+ * Version range from OSV affected data
+ */
+export interface OsvRange {
+ type: 'SEMVER' | 'ECOSYSTEM' | 'GIT'
+ events: OsvRangeEvent[]
+}
+
+/**
+ * Affected package info from OSV
+ */
+export interface OsvAffected {
+ package: {
+ ecosystem: string
+ name: string
+ }
+ ranges?: OsvRange[]
+ versions?: string[]
+}
+
/**
* Individual vulnerability record from OSV
*/
@@ -48,6 +79,7 @@ export interface OsvVulnerability {
published?: string
severity?: OsvSeverity[]
references?: OsvReference[]
+ affected?: OsvAffected[]
database_specific?: {
severity?: string
cwe_ids?: string[]
@@ -97,6 +129,8 @@ export interface VulnerabilitySummary {
severity: OsvSeverityLevel
aliases: string[]
url: string
+ /** Version that fixes this vulnerability (if known) */
+ fixedIn?: string
}
/**