Update dependencies of @wordpress/scripts to fix semver security issue #52029
Labels
Good First Issue
An issue that's suitable for someone looking to contribute for the first time
Needs Dev
Ready for, and needs developer efforts
[Status] In Progress
Tracking issues with work in progress
[Tool] WP Scripts
/packages/scripts
[Type] Build Tooling
Issues or PRs related to build tooling
I'm not sure how to raise this as it doesn't seem to fit one of the issue types that has a template.
We have a number of repositories that use
@wordpress/scripts
.These all have Dependabot reporting "semver vulnerable to Regular Expression Denial of Service" as a moderate security issue that is present in
semver < v7.5.2
and fixed insemver v7.5.2
When I try to fix this, I can only get semver up to version 5.7.1 because of dependencies of
@wordpress/scripts
The chain of dependencies seems to be:
@wordpress/scripts@26.6.0
requiresnpm-package-json-lint: ^5.0.0
npm-package-json-lint@5.4.2
requiresmeow: ^6.1.1
meow@6.1.1
requiresnormalize-package-data: ^2.5.0
normalize-package-data@2.5.0
requiressemver: 2 || 3 || 4 || 5
Updating
npm-package-json-lint
to v6.4.0 would fix this:npm-package-json-lint@6.4.0
requiresmeow: ^9.0.0
meow@9.0.0
requiresnormalize-package-data: ^3.0.0
normalize-package-data@3.0.3
requiressemver: ^7.3.4
I'd love to try to make a PR for this, but don't know how to do this given the mono-repo nature here.
Are there plans to update this dependency? Can someone that has the repo set up try it and see if it's a breaking change?
Thanks
The text was updated successfully, but these errors were encountered: