Backport the ReDoS fix in v2.0.0 #22
Comments
|
I don't plan to backport to v2. v2 is a very old release. I generally only backport one release back. |
You don't know that. It could be a single popular dependency that never updated. |
Thanks for letting me know. Fixed. |
|
The issue for me is this dep chain: bin-wrapper -> find-versions -> semver-regex. I'm only judging by the numbers, and the numbers are big. |
|
The "vulnerability" does not apply to |
|
npm/rfcs#422 would solve this. |
|
Yup, agreed, thanks for the info!
…On Sun, Oct 3, 2021, 08:59 Sindre Sorhus ***@***.***> wrote:
npm/rfcs#422 <npm/rfcs#422> would solve this.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#22 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AACVLNN475WNFYNQXVRRO4DUE7WMJANCNFSM5FHGA7VA>
.
|
|
@sindresorhus I have this dep chain: |
Hey, @sindresorhus. I know you might not support v2.0.0, but there are so many packages that are still using it: https://www.npmjs.com/package/semver-regex?activeTab=versions
Would it be possible to backport the fix for 2.x too?
Thanks!
PS. the
latestnpm tag points to v3.1.3, not sure if that's intentional.The text was updated successfully, but these errors were encountered: