Coming with v2.6.29 we added Bump hints. With Bump hint we mean a suggestion to look for as a new version. Especially in some languages like Java versions may be harder to change. So messing around with versions may lead to long and extensive testing sessions.
This can get even worse, when a particular CVE does not only spans a few patches but several minor versions. Depending on the projects versioning strategy, even several majors may be active at the same time, which in turn - depending on branching - could lead to several effected major-minor combinations.
Given there is more than one CVE available at a particular library or component, research for the next suitable version can become complex and tiresome. This is, what the Bump hint does for you. It does not just search the end of the given CVEs affected range, it also searches all other known vulnerabilities for the same CPE and identifies suitable options that do _not_ contain vulnerability assignments.
In the given example, the closest version to look into within the same minor - the example uses v4.0.27 - would be v4.0.37, given you stay under v4.1.0. This is due to another issue which starts at v4.1.0 up to 4.1.44. But even not before v4.1.71 a version without known issues has been found.
This said, starting from v4.0.27, you might want to check, whether a bump to 4.0.37 may be done without heavy lifting, since it does not bring so many changes. If this does not work, the next stop would be v4.1.71.
Article is closed for comments.