search

Jeff-Lewis / cls-hooked

cls-hooked : CLS using AsynWrap or async_hooks instead of async-listener for node 4.7+
BSD 2-Clause "Simplified" License
758 stars 89 forks source link

fix: bump semver to ^7.5.3 to fix audit issue #81

Open joaop-br opened 1 year ago

joaop-br commented 1 year ago

Fixes https://github.com/Jeff-Lewis/cls-hooked/issues/78 issue with npm audit

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ semver [dev]                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
natan500 commented 1 year ago

I see that the changes here are in dev dependencies but in the last official version - 4.2.2 on npm website, the semver package is a production dependency. https://www.npmjs.com/package/cls-hooked?activeTab=readme

magtutu commented 1 year ago

Does anyone know how to contact the module author?