Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: bump semver to ^7.5.3 to fix audit issue #81

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix: bump semver to ^7.5.3 to fix audit issue #81

wants to merge 1 commit into from
+32 −6

Conversation

joaop-br
Copy link

@joaop-br joaop-br commented Jul 3, 2023
edited
Loading

Fixes #78 issue with npm audit

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ semver [dev]                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw            │
└───────────────┴──────────────────────────────────────────────────────────────┘

@natan500
Copy link

natan500 commented Jul 9, 2023

I see that the changes here are in dev dependencies but in the last official version - 4.2.2 on npm website, the semver package is a production dependency.
https://www.npmjs.com/package/cls-hooked?activeTab=readme

magtutu
magtutu reviewed Jul 10, 2023
View reviewed changes
package.json
@@ -41,7 +41,7 @@
"devDependencies": {
"chai": "^4.1.0",
"mocha": "^6.2.2",
"semver": "^6.3.0",
"semver": "^7.5.3",
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semver is used in index.js when the module is loaded. Should this be in dependencies instead of devDependencies?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The latest release to npm was v4.2.2 in 2017, with a non-dev dependency on semver ^5.4.1
After that, there were multiple changes that never got released, including this commit which moved
semver from dependencies to devDependencies. But that was never released and the latest code still uses semver during module load. Looks strange.

@magtutu
Copy link

magtutu commented Jul 10, 2023

Does anyone know how to contact the module author?

declanwoods
declanwoods suggested changes Jul 11, 2023
View reviewed changes
package-lock.json
@@ -4563,6 +4583,12 @@
"requires": {
"ms": "^2.1.1"
}
},
"semver": {
"version": "6.3.0",
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like superagent is also using semver@6, you will also need to upgrade superagent version requirement to ^5.3.1

@rsshilli rsshilli mentioned this pull request Aug 12, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@okoethibm okoethibm okoethibm left review comments

@magtutu magtutu magtutu left review comments

@declanwoods declanwoods declanwoods requested changes

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Does it possible to update semver depcy from anything to 7.5.2?
5 participants
@joaop-br @natan500 @magtutu @declanwoods @okoethibm