Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: bump semver to ^7.5.3 to fix audit issue #81

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

joaop-br
Copy link

@joaop-br joaop-br commented Jul 3, 2023

Fixes #78 issue with npm audit

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ semver [dev]                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw            │
└───────────────┴──────────────────────────────────────────────────────────────┘

@natan500
Copy link

natan500 commented Jul 9, 2023

I see that the changes here are in dev dependencies but in the last official version - 4.2.2 on npm website, the semver package is a production dependency.
https://www.npmjs.com/package/cls-hooked?activeTab=readme

@@ -41,7 +41,7 @@
"devDependencies": {
"chai": "^4.1.0",
"mocha": "^6.2.2",
"semver": "^6.3.0",
"semver": "^7.5.3",
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semver is used in index.js when the module is loaded. Should this be in dependencies instead of devDependencies?

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The latest release to npm was v4.2.2 in 2017, with a non-dev dependency on semver ^5.4.1
After that, there were multiple changes that never got released, including this commit which moved
semver from dependencies to devDependencies. But that was never released and the latest code still uses semver during module load. Looks strange.

@magtutu
Copy link

magtutu commented Jul 10, 2023

Does anyone know how to contact the module author?

@@ -4563,6 +4583,12 @@
"requires": {
"ms": "^2.1.1"
}
},
"semver": {
"version": "6.3.0",

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like superagent is also using semver@6, you will also need to upgrade superagent version requirement to ^5.3.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Does it possible to update semver depcy from anything to 7.5.2?
5 participants