GHSA-mrrh-fwg8-r2c3 mismatch issue

[huornlmj]

Vulnerability ID:
GHSA-mrrh-fwg8-r2c3

Package URL or steps to reproduce:
The following in a Github workflow file:
uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
Causes $ grype . to throw the following error in the cloned local repo:

NAME                          INSTALLED                                 FIXED IN  TYPE           VULNERABILITY        SEVERITY  EPSS           RISK
tj-actions/changed-files      e0021407031f5be11a464abee9a0776171c79891  46.0.1    github-action  GHSA-mrrh-fwg8-r2c3  High      86.6% (99th)   84.5    KEV

GHSA-mrrh-fwg8-r2c3 is patched in 46.0.1. We are using 47.0.1. This is a false positive.

Environment:

$ grype version
Application:         grype
Version:             0.104.2
BuildDate:           2025-12-09T23:03:07Z
GitCommit:           b47060229fe05c654a7f0615a131db6cb3bc27f6
GitDescription:      v0.104.2
Platform:            linux/amd64
GoVersion:           go1.25.4
Compiler:            gc
Syft Version:        v1.38.2
Supported DB Schema: 6

• OS: Ubuntu 24.04.3 LTS

[wagoodman]

I was not able to reproduce the issue:

$cat .github/workflows/test.yaml
jobs:
  thing:
    steps:
      - uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1

$ syft -q .
NAME                      VERSION  TYPE
tj-actions/changed-files  v47.0.1  github-action

$ grype -q .
No vulnerabilities found

$ grype version
Application:         grype
Version:             0.104.2
BuildDate:           2025-12-09T22:37:10Z
GitCommit:           Homebrew
GitDescription:      [not provided]
Platform:            darwin/arm64
GoVersion:           go1.25.5
Compiler:            gc
Syft Version:        v1.38.2
Supported DB Schema: 6

$ grype db status
Path:      .../grype/db/6/vulnerability.db
Schema:    v6.1.4
Built:     2026-03-04T06:25:03Z
From:      https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.4_2026-03-03T00:31:00Z_1772605503.tar.zst?checksum=sha256%3Afcd52485b156cb02a749d13a639c59e8d0dfe7e8e1c204816c2f477d7ee0d521
Status:    valid 

$ grype db search  GHSA-mrrh-fwg8-r2c3 -o json | jq '.[].packages'
[
  {
    "package": {
      "name": "tj-actions/changed-files",
      "ecosystem": "github-action"
    },
    "namespace": "github:language:github-action",
    "detail": {
      "cves": [
        "CVE-2025-30066"
      ],
      "ranges": [
        {
          "version": {
            "type": "github-action",
            "constraint": "<=45.0.7"
          },
          "fix": {
            "version": "46.0.1",
            "state": "fixed",
            "detail": {
              "available": {
                "date": "2025-09-04",
                "kind": "first-observed"
              }
            }
          }
        }
      ]
    }
  }
]

I checked upstream, this record has not changed in 5 months, so I'm not sure what could be different between what you are doing and what I'm doing.

Can you provide a sample file?