Running osvcatalog against the OSV per-ecosystem dumps, affected entries whose only version info is a range are skipped (v0.1 matching is exact-version only): that drops 197,180 of 215,070 npm malicious packages (~92%), 6,372 of 11,486 for PyPI, and all 18 for Go — nearly all of them introduced: "0", i.e. every version is malicious.
A schema bump that can express "any version" (e.g. versions: ["*"] or an all_versions flag) would let the import emit these; comparison-based introduced/fixed ranges (<900 records) could stay out of scope.
Running osvcatalog against the OSV per-ecosystem dumps, affected entries whose only version info is a range are skipped (v0.1 matching is exact-version only): that drops 197,180 of 215,070 npm malicious packages (~92%), 6,372 of 11,486 for PyPI, and all 18 for Go — nearly all of them
introduced: "0", i.e. every version is malicious.A schema bump that can express "any version" (e.g.
versions: ["*"]or anall_versionsflag) would let the import emit these; comparison-basedintroduced/fixedranges (<900 records) could stay out of scope.