Getting duplicate responses from Security Advisories GraphQL API

I am trying to use the GraphQL API to see if there are security advisories for a specific package, but some of the responses include duplicates of the advisories. For example, when I try to find advisories for express, I have this query:

    {
        securityVulnerabilities(ecosystem: NPM, first: 50, package: "express", orderBy: {field: UPDATED_AT, direction: DESC}) {
            nodes {
                advisory {
                    id, permalink, publishedAt, severity, summary, updatedAt, withdrawnAt
                }
                package {
                    name
                }
            }
            totalCount
        }
    }

and get this response, which has 2 of the same advisory:

{'data': {'securityVulnerabilities': {'nodes': [{'advisory': {'id': 'MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWdwdnItZzZnaC05bWMy',
                                                              'permalink': 'https://github.com/advisories/GHSA-gpvr-g6gh-9mc2',
                                                              'publishedAt': '2018-10-23T17:22:54Z',
                                                              'severity': 'MODERATE',
                                                              'summary': 'Moderate '
                                                                         'severity '
                                                                         'vulnerability '
                                                                         'that '
                                                                         'affects '
                                                                         'express',
                                                              'updatedAt': '2019-07-03T21:02:05Z',
                                                              'withdrawnAt': None},
                                                 'package': {'name': 'express'}},
                                                {'advisory': {'id': 'MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWdwdnItZzZnaC05bWMy',
                                                              'permalink': 'https://github.com/advisories/GHSA-gpvr-g6gh-9mc2',
                                                              'publishedAt': '2018-10-23T17:22:54Z',
                                                              'severity': 'MODERATE',
                                                              'summary': 'Moderate '
                                                                         'severity '
                                                                         'vulnerability '
                                                                         'that '
                                                                         'affects '
                                                                         'express',
                                                              'updatedAt': '2019-07-03T21:02:05Z',
                                                              'withdrawnAt': None},
                                                 'package': {'name': 'express'}}],
                                      'totalCount': 2}}}

Are there any differences that I am missing, or is this a bug?

1 Like

:wave: hello there @alex-bellon. Welcome to the GitHub Support Community! :tada:

I ran that query and confirmed the same advisory appears twice. I’ve escalated this to our engineering team and will follow up here when we have an update from them. We don’t have a timeline for when this will be resolved, but we’re happy to help with any other questions you may have about GitHub in the meantime. :v:

2 Likes