fix: send vulnerability version to OSV

[Flo0806]

Summary

Fixes: #57

Related Issue

Now we use the correct function to send the package version to the OSV api.

Checklist

• Tested locally
• No console errors

Summary by CodeRabbit

Bug Fixes

• Vulnerability detection now fetches version-specific vulnerability data for improved accuracy instead of retrieving all vulnerabilities for a package.
• Optimized data enrichment flow to fetch vulnerabilities only when NPM package information is successfully retrieved, enhancing data reliability.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 3fc235db-1ec0-44f8-956b-8389e852f037

📥 Commits

Reviewing files that changed from the base of the PR and between 037c9dd and b2bbed9.

📒 Files selected for processing (2)

• server/api/sync.post.ts
• server/utils/fetchers.ts

---

📝 Walkthrough

Walkthrough

The PR fixes version-aware vulnerability checking by updating the OSV query to include a package version parameter. The sync endpoint now sequentially fetches NPM metadata first, then uses its version to query vulnerabilities, replacing the previous concurrent fetch that omitted version information.

Changes

Version-Aware Vulnerability Checking

Layer / File(s)	Summary
API Contract Update server/utils/fetchers.ts	fetchVulnerabilities(pkg) is replaced with fetchVulnerabilitiesForVersion(pkg, version). The OSV request payload now includes a version field in the package query.
Endpoint Integration server/api/sync.post.ts	The data enrichment flow transitions from concurrent NPM+vulnerability fetch to sequential: fetchNpmInfo is called first, data.keywords is set from the result, then fetchVulnerabilitiesForVersion is called with the latest version from NPM data.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~15 minutes

Poem

🐰 A version was missing, oh what a shame,
OSV queries were playing the blame,
Now fetching in order with version in hand,
Vulnerabilities matched, exactly as planned! 🎯✨

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/vulns-version

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}