[GH-ISSUE #980] Vulnerabilities in semver package #1471

Closed
opened 2026-04-16 10:52:49 -05:00 by GiteaMirror · 1 comment
Owner

Originally created by @ManolisDia on GitHub (Oct 13, 2023).
Original GitHub issue: https://github.com/semver/semver/issues/980

I've identified multiple moderate severity vulnerabilities in the semver package while using it in my project. These vulnerabilities are detailed in the output of npm audit. The affected versions of the semver package range from 7.0.0 to 7.5.1.

Reproducible Steps:

Install the semver package by running npm install semver in your project.
Run npm audit to check for vulnerabilities in your project's dependencies.
Expected Behavior:
I expect that the packages I use, including semver, do not have known vulnerabilities that could pose a security risk to my project.

Actual Behavior:
The npm audit command has reported several moderate severity vulnerabilities in the semver package, which is concerning for the security of my project.

Additional Information:

Operating System: Windows 11
Node.js Version: 18.18.1

npm audit:

PS C:\Users\Manol\OneDrive\Documents\Personal Programming Projects\Expo\Test> npm audit

npm audit report

semver 7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via npm audit fix --force
Will install expo-splash-screen@0.10.3, which is a breaking change
node_modules/@expo/image-utils/node_modules/semver
@expo/image-utils >=0.3.10-alpha.0
Depends on vulnerable versions of semver
node_modules/@expo/image-utils
@expo/prebuild-config *
Depends on vulnerable versions of @expo/image-utils
node_modules/@expo/prebuild-config
@expo/cli >=0.1.0
Depends on vulnerable versions of @expo/prebuild-config
node_modules/@expo/cli
expo >=45.0.0-beta.1
Depends on vulnerable versions of @expo/cli
node_modules/expo
expo-router *
Depends on vulnerable versions of expo
Depends on vulnerable versions of expo-splash-screen
node_modules/expo-router
expo-splash-screen >=0.11.0
Depends on vulnerable versions of @expo/prebuild-config
node_modules/expo-splash-screen

7 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
npm audit fix --force

Originally created by @ManolisDia on GitHub (Oct 13, 2023). Original GitHub issue: https://github.com/semver/semver/issues/980 I've identified multiple moderate severity vulnerabilities in the semver package while using it in my project. These vulnerabilities are detailed in the output of npm audit. The affected versions of the semver package range from 7.0.0 to 7.5.1. Reproducible Steps: Install the semver package by running npm install semver in your project. Run npm audit to check for vulnerabilities in your project's dependencies. Expected Behavior: I expect that the packages I use, including semver, do not have known vulnerabilities that could pose a security risk to my project. Actual Behavior: The npm audit command has reported several moderate severity vulnerabilities in the semver package, which is concerning for the security of my project. Additional Information: Operating System: Windows 11 Node.js Version: 18.18.1 npm audit: PS C:\Users\Manol\OneDrive\Documents\Personal Programming Projects\Expo\Test> npm audit # npm audit report semver 7.0.0 - 7.5.1 Severity: moderate semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw fix available via `npm audit fix --force` Will install expo-splash-screen@0.10.3, which is a breaking change node_modules/@expo/image-utils/node_modules/semver @expo/image-utils >=0.3.10-alpha.0 Depends on vulnerable versions of semver node_modules/@expo/image-utils @expo/prebuild-config * Depends on vulnerable versions of @expo/image-utils node_modules/@expo/prebuild-config @expo/cli >=0.1.0 Depends on vulnerable versions of @expo/prebuild-config node_modules/@expo/cli expo >=45.0.0-beta.1 Depends on vulnerable versions of @expo/cli node_modules/expo expo-router * Depends on vulnerable versions of expo Depends on vulnerable versions of expo-splash-screen node_modules/expo-router expo-splash-screen >=0.11.0 Depends on vulnerable versions of @expo/prebuild-config node_modules/expo-splash-screen 7 moderate severity vulnerabilities To address all issues (including breaking changes), run: npm audit fix --force
Author
Owner

@JohnTitor commented on GitHub (Oct 13, 2023):

This repo is for the semver spec, not npm one.

<!-- gh-comment-id:1761608262 --> @JohnTitor commented on GitHub (Oct 13, 2023): This repo is for the semver spec, not npm one.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/semver#1471