Does it possible to update semver depcy from anything to 7.5.2?

Question

Does it possible to update semver depcy from anything to 7.5.2?

dc185334 opened this issue a year ago · comments

I have no issues with such npm overrides in my package.json, but it is still my case:

    "semver@7.5.1": "7.5.2",
    "cls-hooked@4.2.2": {
      "semver@5.4.1": "7.5.2"
    },
    "async-listener@0.6.10": {
      "semver@5.7.1": "7.5.2"
    }

Robert Podwika · Answer 1 · Fri Jun 23 2023 21:42:47 GMT+0800 (China Standard Time)

semver 5.4.1 seem to have CVE https://www.mend.io/vulnerability-database/CVE-2022-25883 any chane to update that dependency?

Joey G · Answer 2 · Fri Jul 07 2023 05:24:33 GMT+0800 (China Standard Time)

having same issue +1

Vasyl Onopriienko · Answer 3 · Fri Jul 07 2023 18:21:55 GMT+0800 (China Standard Time)

Having the snyk issue
Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795] in semver@7.5.1
introduced by aws-xray-sdk@3.5.0 > aws-xray-sdk-core@3.5.0 > cls-hooked@4.2.2 > semver@5.7.1 and 1 other path(s)
This issue was fixed in versions: 7.5.2

Daniel Chechik · Answer 4 · Fri Jul 07 2023 19:45:42 GMT+0800 (China Standard Time)

7.5.2 force resolution works like a charm for the last two weeks. Just letting you to know.

rohitkumarcs · Answer 5 · Fri Jul 28 2023 14:25:49 GMT+0800 (China Standard Time)

What is the plan to release the fix of this issue anytime soon?

Ryan Shillington · Answer 6 · Sat Aug 12 2023 21:43:36 GMT+0800 (China Standard Time)

There's a pull request (#81) that's been sitting there for a month. I'm guessing the author has abandoned this project :-(.