mirror of
https://github.com/semver/semver.git
synced 2026-07-10 19:50:47 -05:00
[GH-ISSUE #980] Vulnerabilities in semver package #3320
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @ManolisDia on GitHub (Oct 13, 2023).
Original GitHub issue: https://github.com/semver/semver/issues/980
I've identified multiple moderate severity vulnerabilities in the semver package while using it in my project. These vulnerabilities are detailed in the output of npm audit. The affected versions of the semver package range from 7.0.0 to 7.5.1.
Reproducible Steps:
Install the semver package by running npm install semver in your project.
Run npm audit to check for vulnerabilities in your project's dependencies.
Expected Behavior:
I expect that the packages I use, including semver, do not have known vulnerabilities that could pose a security risk to my project.
Actual Behavior:
The npm audit command has reported several moderate severity vulnerabilities in the semver package, which is concerning for the security of my project.
Additional Information:
Operating System: Windows 11
Node.js Version: 18.18.1
npm audit:
PS C:\Users\Manol\OneDrive\Documents\Personal Programming Projects\Expo\Test> npm audit
npm audit report
semver 7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via
npm audit fix --forceWill install expo-splash-screen@0.10.3, which is a breaking change
node_modules/@expo/image-utils/node_modules/semver
@expo/image-utils >=0.3.10-alpha.0
Depends on vulnerable versions of semver
node_modules/@expo/image-utils
@expo/prebuild-config *
Depends on vulnerable versions of @expo/image-utils
node_modules/@expo/prebuild-config
@expo/cli >=0.1.0
Depends on vulnerable versions of @expo/prebuild-config
node_modules/@expo/cli
expo >=45.0.0-beta.1
Depends on vulnerable versions of @expo/cli
node_modules/expo
expo-router *
Depends on vulnerable versions of expo
Depends on vulnerable versions of expo-splash-screen
node_modules/expo-router
expo-splash-screen >=0.11.0
Depends on vulnerable versions of @expo/prebuild-config
node_modules/expo-splash-screen
7 moderate severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
@JohnTitor commented on GitHub (Oct 13, 2023):
This repo is for the semver spec, not npm one.