multiple GHSA CVEs with patched versions in affected list

[Tom-v-G]

Some OSV json files containing GitHub advisories available via www.googleapis.com seem to include the patched versions in the affected versions list. I have included two examples containing this issue below:

• Advisory GHSA-58c5-g7wp-6w37
  OSV JSON file from googleapis
  Patched versions 19.2.16, 20.3.14, and 21.0.1 are included in the affected versions list.
• Advisory GHSA-rchf-xwx2-hm93
  OSV JSON file from googleapis.
  Patched versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2 are included in the affected versions list

The references list in the JSON files do contain urls linking to the patched releases, so the information to correctly parse the fixed versions was avaiable. Is this an issue with OSV, or with GHSA? Or is the information avaiable via googleapis not up to date?
The files available via https://api.osv.dev/ do denote the right fixed versions.

Thank you in advance,

Tom

[github-actions]

✨ Thank you for your interest in OSV.dev's data quality! ✨

Please review our FAQ entry on how to most efficiently have this addressed.

[cuixq]

@Tom-v-G, thank you for bringing this up.

We are aware of this issue following our recent infrastructure changes on gitter and are currently working on an improvement to reduce the noise of false positives. We will update you here once that is done. Thanks for your patience!

[Tom-v-G]

@cuixq thank you for your swift response. Can you give an estimate of when these improvements will be implemented?

kind regards,
Tom

[cuixq]

Hi Tom the improvements are expected to be done by end of this week - thank you for your patience again!

[jess-lowe]

The records you are referencing refer to the CVE aliased records, not GHSA (GitHub doesn't publish GIT ecosystem records) and I don't see any of those versions in the affected versions lists anymore.

Please let us know if you see this in the future.

CVE OSV links:
CVE-2025-68475
CVE-2025-66035