# Safe versions

When one or more vulnerabilities are identified in a certain version of a component, Meterian will automatically suggest you a list of "safe versions" to use. These appears in the project report, in a box positioned on the right of the component card, like in this example.

<figure><img src="/files/kBH86ohiq9ezqfJtQSPv" alt=""><figcaption><p>A vulnerable component and its safe versions</p></figcaption></figure>

Here we can see that this component, "image", is affected by one vulnerability in its current version, "0.23.11". The "Safe versions" box indicates which versions are considered "safe" for Meterian, and in this specific case those are 0.23.14 (a patch update) and 0.24.6 (a minor update).

Meterian infact "knows" about all versions of the component, and the vulnerabilities associated to each of them, as can be seen opening the correspondiing [link to Componentpedia](https://www.meterian.io/components/rust/image/), Meterian's libraries of components:

<figure><img src="/files/rENyigrGWOkvL6cTQn5w" alt="" width="375"><figcaption><p>List of versions and vulnerabilities from a Componentpedia page</p></figcaption></figure>

If we go back to the report, however, we notice that that particular vulnerability is declared to be fixed in version 0.23.12: why Meterian is suggesting version 0.23.14? This happens because, if there's a later patch which is safe and possibly fixes bugs, that will be the one suggested. This will improve the stability of your project. Given a semantic portion of the version (patch, minor, major) Meterian will always suggest the latest possible safe option.

For this same reason, when multiple vulnerabilities are affecting a component, Meterian will compute the safest version possible, like in this example;

<figure><img src="/files/NdVLJEEh2PvDzTXPp3Bk" alt=""><figcaption><p>Multiple vulnerabilities affecting a component</p></figcaption></figure>

Sometimes it's impossible to automatically find a safe version. For example, in this case, a vulnerability declares that a certain version of a component fixes it: however such version is actually not present in any public repository! Version 4.3.1 of System.IO.Compression.ZipFile was unfortunately never published on the .NET repository [Nuget.org](https://www.nuget.org/packages/System.IO.Compression.ZipFile#versions-body-tab).

<figure><img src="/files/Flcxb5XsiCEssCSOMDZy" alt=""><figcaption><p>The vulnerability says there's a fix, but no such component version exists in the package repository</p></figcaption></figure>

Sometimes a safe, not vulnerable version is simple not available: in that situation you will want to consider alternative actions to resolve the issue, for example looking at mitigation factors or replacing the component altogether.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.meterian.io/the-meterian-webapp/advanced-functionalities/safe-versions.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.