Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency semver [SECURITY] #605

Merged
merged 1 commit into from
Jun 26, 2023
Merged

Update dependency semver [SECURITY] #605

merged 1 commit into from
Jun 26, 2023

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jun 24, 2023
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
semver ^4.3.2 -> ^7.0.0 age adoption passing confidence
semver 7.3.8 -> 7.5.2 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-25883

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Release Notes

npm/node-semver (semver)

v7.5.3

Compare Source

Bug Fixes
Documentation

v7.5.2

Compare Source

Bug Fixes

v7.5.1

Compare Source

Bug Fixes

v7.5.0

Compare Source

Features
Bug Fixes

v7.4.0

Compare Source

Features
Bug Fixes
Documentation

v7.3.8

Compare Source

Bug Fixes
Documentation
7.3.7 (2022-04-11)
Bug Fixes
Dependencies
7.3.6 (2022-04-05)
Bug Fixes
Documentation
  • clarify * range behavior (cb1ca1d)
Dependencies

v7.3.7

Compare Source

v7.3.6

Compare Source

v7.3.5

Compare Source

v7.3.4

Compare Source

v7.3.3

Compare Source

v7.3.2

Compare Source

v7.3.1

Compare Source

v7.3.0

Compare Source

  • Add subset(r1, r2) method to determine if r1 range is entirely
    contained by r2 range.

v7.2.3

Compare Source

  • Fix handling of includePrelease mode where version ranges like 1.0.0 - 2.0.0 would include 3.0.0-pre and not 1.0.0-pre.

v7.2.2

Compare Source

  • Fix bug where 2.0.0-pre would be included in ^1.0.0 if
    includePrerelease was set to true.

v7.2.1

Compare Source

v7.2.0

Compare Source

  • Add simplifyRange method to attempt to generate a more human-readable
    range expression that is equivalent to a supplied range, for a given set
    of versions.

v7.1.3

Compare Source

v7.1.2

Compare Source

  • Remove fancy lazy-loading logic, as it was causing problems for webpack
    users.

v7.1.1

Compare Source

v7.1.0

Compare Source

  • Add require('semver/preload') to load the entire module without using
    lazy getter methods.

v7.0.0

Compare Source

  • Refactor module into separate files for better tree-shaking
  • Drop support for very old node versions, use const/let, => functions,
    and classes.

v6.3.0

Compare Source

  • Expose the token enum on the exports

v6.2.0

Compare Source

  • Coerce numbers to strings when passed to semver.coerce()
  • Add rtl option to coerce from right to left

v6.1.3

Compare Source

  • Handle X-ranges properly in includePrerelease mode

v6.1.2

Compare Source

  • Do not throw when testing invalid version strings

v6.1.1

Compare Source

  • Add options support for semver.coerce()
  • Handle undefined version passed to Range.test

v6.1.0

Compare Source

  • Add semver.compareBuild function
  • Support * in semver.intersects

v6.0.0

Compare Source

v5.7.1

Compare Source

v5.7.0

Compare Source

v5.6.0

Compare Source

v5.5.1

Compare Source

v5.5.0

Compare Source

v5.4.1

Compare Source

v5.4.0

Compare Source

v5.3.0

Compare Source

v5.2.0

Compare Source

v5.1.1

Compare Source

v5.1.0

Compare Source

v5.0.3

Compare Source

v5.0.2

Compare Source

v5.0.1

Compare Source

v5.0.0

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot force-pushed the renovate/npm-semver-vulnerability branch 2 times, most recently from e55b867 to 53ece4d Compare June 24, 2023 19:49
confused-Techie
confused-Techie approved these changes Jun 25, 2023
View reviewed changes
Copy link
Member

@confused-Techie confused-Techie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All tests are passing here, and the changes look good.

Really the only thing we need to be worried about is semver usage within notifications which seems to be restricted to a gte() call here and here.

Looking through the semver README.md for our old version and again for our newest confirms usage should be the same for this function between them.

Although if anybody wants to read the huge diff between these versions, feel free.

Otherwise I'm going to go ahead and approve this one, and merge!

@renovate renovate bot changed the title fix(deps): update dependency semver to v7.5.2 [security] Update dependency semver [SECURITY] Jun 26, 2023
@renovate renovate bot force-pushed the renovate/npm-semver-vulnerability branch from 53ece4d to a68c590 Compare June 26, 2023 02:16
@confused-Techie confused-Techie merged commit 3400d0f into master Jun 26, 2023
@confused-Techie confused-Techie deleted the renovate/npm-semver-vulnerability branch June 26, 2023 02:24
@confused-Techie confused-Techie mentioned this pull request Jun 26, 2023
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@confused-Techie confused-Techie confused-Techie approved these changes

Assignees
No one assigned
Labels
dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@confused-Techie