When severity missing, treat as 'high' severity

PR-URL: #4 Credit: @isaacs Close: #4 Reviewed-by: @nlf
npm · Feb 18, 2021 · a2dcf13 · a2dcf13
1 parent ab7a40f
commit a2dcf13
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 1 deletion.
diff --git a/lib/advisory.js b/lib/advisory.js
@@ -35,7 +35,7 @@ class Advisory {
       this.url = null
     }
 
-    this.severity = source.severity
+    this.severity = source.severity || 'high'
     this.versions = []
     this.vulnerableVersions = []
 

diff --git a/test/advisory.js b/test/advisory.js
@@ -339,3 +339,21 @@ t.test('default to * when no vulnerable_versions specified', t => {
   }, 'default to all versions being considered vulnerable')
   t.end()
 })
+
+t.test('default to "high" when no severity specified', t => {
+  const name = 'no-severity-specified'
+  const v = new Advisory(name, advisories[name])
+  t.same(v, {
+    source: 123456789,
+    name: 'no-severity-specified',
+    dependency: 'no-severity-specified',
+    title: 'No severity, so high severity',
+    url: 'https://npmjs.com/advisories/123456789',
+    severity: 'high',
+    versions: [],
+    vulnerableVersions: [],
+    range: '1.x',
+    id: 'ajZ5Jt7T99fpH0t8LgyBbDVivYlv/1OGrs/o+D8KmLDl+LKTjObUEt19cAZGaWdqiemuQOnvdZD577nKU+giIQ==',
+  }, 'default to all versions being considered vulnerable')
+  t.end()
+})
diff --git a/test/fixtures/advisories/no-severity-specified.json b/test/fixtures/advisories/no-severity-specified.json
@@ -0,0 +1,6 @@
+{
+  "id": 123456789,
+  "url": "https://npmjs.com/advisories/123456789",
+  "title": "No severity, so high severity",
+  "vulnerable_versions": "1.x"
+}