Does it possible to update semver depcy from anything to 7.5.2?
dc185334 opened this issue · comments
I have no issues with such npm overrides in my package.json, but it is still my case:
"semver@7.5.1": "7.5.2",
"cls-hooked@4.2.2": {
"semver@5.4.1": "7.5.2"
},
"async-listener@0.6.10": {
"semver@5.7.1": "7.5.2"
}
semver 5.4.1 seem to have CVE https://www.mend.io/vulnerability-database/CVE-2022-25883 any chane to update that dependency?
having same issue +1
Having the snyk issue
Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795] in semver@7.5.1
introduced by aws-xray-sdk@3.5.0 > aws-xray-sdk-core@3.5.0 > cls-hooked@4.2.2 > semver@5.7.1 and 1 other path(s)
This issue was fixed in versions: 7.5.2
7.5.2 force resolution works like a charm for the last two weeks. Just letting you to know.
What is the plan to release the fix of this issue anytime soon?
There's a pull request (#81) that's been sitting there for a month. I'm guessing the author has abandoned this project :-(.