I encountered this wrt https://github.com/github/advisory-database/blame/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json , because time is a very common Rust crate.

Suddenly over the weekend, the latest version of the crate started having vulns reported by it on api.osv.dev.

i.e. curl -d '{"version": "0.3.20", "package": {"name": "time", "ecosystem": "crates.io"}}' "https://api.osv.dev/v1/query"

https://osv.dev/vulnerability/GHSA-wcg3-cvx6-7396 shows the results in a web format.

b010a65 seems to be the cause.

I see it is removing many last_affected, but in the case of time GHSA-wcg3-cvx6-7396, it is only adding an empty "fixed".

The JSON contains

"database_specific": {
        "last_known_affected_version_range": "< 0.2"
}

This feels a bit like #470.
This record should have a last_affected of 0.2.22 according to https://github.com/time-rs/time/blob/v0.2.23/CHANGELOG.md#compatibility-notes , or maybe fixed in 0.2.23.