Does it possible to update semver depcy from anything to 7.5.2?

[dc185334]

I have no issues with such npm overrides in my package.json, but it is still my case:

    "semver@7.5.1": "7.5.2",
    "cls-hooked@4.2.2": {
      "semver@5.4.1": "7.5.2"
    },
    "async-listener@0.6.10": {
      "semver@5.7.1": "7.5.2"
    }

[rpodwika]

semver 5.4.1 seem to have CVE https://www.mend.io/vulnerability-database/CVE-2022-25883 any chane to update that dependency?

[gutierrezj2]

having same issue +1

[Regnised]

Having the snyk issue Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795] in semver@7.5.1 introduced by aws-xray-sdk@3.5.0 > aws-xray-sdk-core@3.5.0 > cls-hooked@4.2.2 > semver@5.7.1 and 1 other path(s) This issue was fixed in versions: 7.5.2

[dc185334]

7.5.2 force resolution works like a charm for the last two weeks. Just letting you to know.

[rohitkumarcs]

What is the plan to release the fix of this issue anytime soon?

[rsshilli]

There's a pull request (https://github.com/Jeff-Lewis/cls-hooked/pull/81) that's been sitting there for a month. I'm guessing the author has abandoned this project :-(.