[High Severity] Regular Expression Denial of Service (ReDoS) in semver@7.3.8 introduced by tedious

Question

[High Severity] Regular Expression Denial of Service (ReDoS) in semver@7.3.8 introduced by tedious

nathanbunn20 opened this issue a year ago · comments

This issue was caught by snyk in one of my projects, I'm on the latest tedious@16.2.0 so there is no upgrade path at this time.

Issues with no direct upgrade or patch:
✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795] in semver@7.3.8
introduced by tedious@16.2.0 > @azure/identity@2.1.0 > @azure/msal-node@1.16.0 > jsonwebtoken@9.0.0 > semver@7.3.8 and 1 other path(s)
This issue was fixed in versions: 7.5.2

Michael Sun · Answer 1 · Tue Jul 11 2023 02:50:54 GMT+0800 (China Standard Time)

Hi @nathanbunn20 , Can you give #1549 a try? I checked that this should using semver@7.5.4 under the chain.

Nate · Answer 2 · Tue Jul 11 2023 03:50:38 GMT+0800 (China Standard Time)

Looks good @MichaelSun90 thanks for the quick response, will look forward to this coming soon

Michael Sun · Answer 3 · Wed Jul 19 2023 02:15:34 GMT+0800 (China Standard Time)

Hi @nathanbunn20, the changes has been merge into master, and will be in the next release for tedious. I will close this one, and if you need anything, feel free to reopen this or open a new issue.