Closed carolabadeer closed 1 year ago
How do we ensure that cls-hooked
works with the "forced" v7.5.3 of semver
in our SDK and not behave unexpectedly?
@srprash cls-hooked
only uses semver
in one line to utilize the gte
function, and the module that exports the gte function in the semver repository has not had any changes in the last 4 years. So the single usage of the semver.gte()
function in cls-hooked
would behave the same for the current version in cls-hooked
(5.7.1) and the forced version we are using (7.5.3) since 5.7.1 was released 4 years ago.
An additional note: There are also many others who reported this vulnerability directly in the cls-hooked package, and some contributors even created PRs for upgrading the semver version to 7.5.3, but since the library is unmaintained, those PRs have not been addressed. Those authors of those issues and PRs report manually overriding semver version did not cause any issues and resolved the security risk: https://github.com/Jeff-Lewis/cls-hooked/issues/78
Issue #, if available: #599
Description of changes: Use
npm-force-resolutions
to override the vulnerablesemver
dependencyv5.7.1
being installed fromcls-hooked v4.2.2
. It is necessary to manually override thesemver
version as thecls-hooked
package has not issued a release since 2017.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.