Skip to content

[Bug]: semver dep security vulnerability #3589

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
2 tasks done
AviVahl opened this issue Jun 25, 2023 · 4 comments
Closed
2 tasks done

[Bug]: semver dep security vulnerability #3589

AviVahl opened this issue Jun 25, 2023 · 4 comments
Labels
bug

Comments

@AviVahl
Copy link

AviVahl commented Jun 25, 2023

Is there an existing issue for this?

  • I have searched the existing issues and my issue is unique
  • My issue appears in the command-line and not only in the text editor

Description Overview

When installing package using npm, audit fails with:

$ npm audit
# npm audit report

semver  <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/semver
  eslint-plugin-react  7.19.0 || >=7.26.0
  Depends on vulnerable versions of semver
  node_modules/eslint-plugin-react

2 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Running npm audit fix --force downgrades to [email protected] 👀

Expected Behavior

No security vulnerabilities.

eslint-plugin-react version

7.32.2

eslint version

8.43.0

node version

18.16.1
@AviVahl AviVahl added the bug label Jun 25, 2023
@ljharb
Copy link
Member

ljharb commented Jun 25, 2023

It’s not a vulnerability here - like most transitive dep CVEs, it’s a false positive - and we can’t upgrade because v7 drops support for engines we need to support.

@ljharb ljharb closed this as not planned Won't fix, can't repro, duplicate, stale Jun 25, 2023
@ljharb ljharb mentioned this issue Jul 3, 2023
Closed
@1EDExg0ffyXfTEqdIUAYNZGnCeajIxMWd2vaQeP
Copy link

The babel team has backported the fix to semver v6, can we use that? babel/babel#15742

@ljharb
Copy link
Member

ljharb commented Jul 4, 2023

I’d really rather not use a fork if we can avoid it.

@ljharb ljharb mentioned this issue Jul 7, 2023
Closed
@littlebtc
Copy link

littlebtc commented Jul 11, 2023
edited
Loading

Update: semver team released backported version (6.3.1), so the security issue should be resolved.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ljharb @littlebtc @AviVahl @1EDExg0ffyXfTEqdIUAYNZGnCeajIxMWd2vaQeP