Is 2025 data being used?

[andrewpollock]

I was poking around a little to better understand how the sausage is made and the dependencies on OSV.dev vulnfeeds code, and noticed that https://github.com/pypa/advisory-database/blob/main/.github/workflows/auto_import.yaml has some 2024 hard coding in it, which may be resulting in suboptimal outcomes in 2025?

[sethmlarson]

It doesn't appear to be using 2025 data. @oliverchang was #210 meant to be a temporary solution that never got removed? There's clearly a 2025 data feed (I was able to pull it myself manually) but I don't understand the sources of any of this data? Is there a data feed that we should be using that includes all years?

[oliverchang]

#210 is trying to address a separate issue. It avoids importing any advisories that don't have any fix information (i.e. unbounded), which are much more likely to be data quality issues rather than them actually being unfixed.

and thank you for #230 ! that will address the issue @andrewpollock pointed out -- the year was previously hardcoded and needed to be manually updated.