semver vulnerable to Regular Expression Denial of Service #943

1EDExg0ffyXfTEqdIUAYNZGnCeajIxMWd2vaQeP · 2023-07-04T09:50:26Z

The semver package has a security vulnerability. They only fixed v7, but the babel team has backported the fix to semver v6, can we use that? babel/babel#15742

npm audit output

# npm audit report

semver  <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
node_modules/eslint-plugin-jsx-a11y/node_modules/semver
  eslint-plugin-jsx-a11y  >=6.6.0
  Depends on vulnerable versions of semver
  node_modules/eslint-plugin-jsx-a11y

The text was updated successfully, but these errors were encountered:

ljharb · 2023-07-04T15:55:41Z

It’s not a really a vulnerability - like most JS CVEs, it’s a false positive - and we can’t upgrade to v7. I’d rather not use a fork, and would instead prefer to wait until semver backports it to v6, since it’s not an actual vuln.

ljharb closed this as not planned Won't fix, can't repro, duplicate, stale Jul 4, 2023

SukkaW mentioned this issue Jul 5, 2023

[Dev Deps] move semver from Deps to Dev Deps #944

Merged

ljharb closed this as completed in #944 Aug 11, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

semver vulnerable to Regular Expression Denial of Service #943

semver vulnerable to Regular Expression Denial of Service #943

1EDExg0ffyXfTEqdIUAYNZGnCeajIxMWd2vaQeP commented Jul 4, 2023

ljharb commented Jul 4, 2023

semver vulnerable to Regular Expression Denial of Service #943

semver vulnerable to Regular Expression Denial of Service #943

Comments

1EDExg0ffyXfTEqdIUAYNZGnCeajIxMWd2vaQeP commented Jul 4, 2023

ljharb commented Jul 4, 2023