Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[GHSA-c2qf-rxjj-qqgw] semver vulnerable to Regular Expression Denial of Service #2483

Merged

Conversation

G-Rath
Copy link

@G-Rath G-Rath commented Jul 10, 2023

Updates

  • Affected products
  • References

Comments
Update advisory to reflect backported patch

@G-Rath
Copy link
Author

G-Rath commented Jul 10, 2023

The description should probably be updated too actually - also v6 is getting a backport but technically that's not landed yet: npm/node-semver#593

@github-actions github-actions bot changed the base branch from main to G-Rath/advisory-improvement-2483 July 10, 2023 20:39
@advisory-database advisory-database bot merged commit c46edac into G-Rath/advisory-improvement-2483 Jul 10, 2023
@advisory-database
Copy link
Contributor

Hi @G-Rath! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

@advisory-database advisory-database bot deleted the G-Rath-GHSA-c2qf-rxjj-qqgw branch July 10, 2023 22:04
@darakian
Copy link
Contributor

darakian commented Jul 10, 2023

@G-Rath I went ahead and updated the description as well. Thanks for the quick update! 😄

@lukekarrys
Copy link

The v6 backport just landed:

❯ npm view semver --json | jq -r '.time["6.3.1"]'
2023-07-10T22:38:41.428Z

@G-Rath
Copy link
Author

G-Rath commented Jul 10, 2023

Yup I've opened #2484 updating the advisory again - it also looks like the ranges got incorrectly updated in this PR.

@darakian
Copy link
Contributor

Should be updated now 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants