socket-security[bot]
commented
2 weeks ago New and removed dependencies detected. Learn more about Socket for GitHub ↗︎
| Package | New capabilities | Transitives | Size | Publisher |
|---|---|---|---|---|
| npm/semver@7.5.2 | None | 0 |
92.6 kB | npm-cli-ops |
🚮 Removed packages: npm/semver@7.3.5
This PR contains the following updates:
7.5.0->7.5.27.3.5->7.5.2semver vulnerable to Regular Expression Denial of Service
CVE-2022-25883 / GHSA-c2qf-rxjj-qqgw
More information
#### Details Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range. #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2022-25883](https://nvd.nist.gov/vuln/detail/CVE-2022-25883) - [https://github.com/npm/node-semver/pull/564](https://togithub.com/npm/node-semver/pull/564) - [https://github.com/npm/node-semver/pull/585](https://togithub.com/npm/node-semver/pull/585) - [https://github.com/npm/node-semver/pull/593](https://togithub.com/npm/node-semver/pull/593) - [https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0](https://togithub.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0) - [https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441](https://togithub.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441) - [https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c](https://togithub.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c) - [https://github.com/npm/node-semver](https://togithub.com/npm/node-semver) - [https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104](https://togithub.com/npm/node-semver/blob/main/classes/range.js#L97-L104) - [https://github.com/npm/node-semver/blob/main/internal/re.js#L138](https://togithub.com/npm/node-semver/blob/main/internal/re.js#L138) - [https://github.com/npm/node-semver/blob/main/internal/re.js#L160](https://togithub.com/npm/node-semver/blob/main/internal/re.js#L160) - [https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795](https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-c2qf-rxjj-qqgw) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).Release Notes
npm/node-semver (semver)
### [`v7.5.2`](https://togithub.com/npm/node-semver/blob/HEAD/CHANGELOG.md#752-2023-06-15) [Compare Source](https://togithub.com/npm/node-semver/compare/v7.5.1...v7.5.2) ##### Bug Fixes - [`58c791f`](https://togithub.com/npm/node-semver/commit/58c791f40ba8cf4be35a5ca6644353ecd6249edc) [#566](https://togithub.com/npm/node-semver/pull/566) diff when detecting major change from prerelease ([#566](https://togithub.com/npm/node-semver/issues/566)) ([@lukekarrys](https://togithub.com/lukekarrys)) - [`5c8efbc`](https://togithub.com/npm/node-semver/commit/5c8efbcb3c6c125af10746d054faff13e8c33fbd) [#565](https://togithub.com/npm/node-semver/pull/565) preserve build in raw after inc ([#565](https://togithub.com/npm/node-semver/issues/565)) ([@lukekarrys](https://togithub.com/lukekarrys)) - [`717534e`](https://togithub.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441) [#564](https://togithub.com/npm/node-semver/pull/564) better handling of whitespace ([#564](https://togithub.com/npm/node-semver/issues/564)) ([@lukekarrys](https://togithub.com/lukekarrys)) ### [`v7.5.1`](https://togithub.com/npm/node-semver/blob/HEAD/CHANGELOG.md#751-2023-05-12) [Compare Source](https://togithub.com/npm/node-semver/compare/v7.5.0...v7.5.1) ##### Bug Fixes - [`d30d25a`](https://togithub.com/npm/node-semver/commit/d30d25a5c1fb963c3cc9178cb1769fe45e4a3cab) [#559](https://togithub.com/npm/node-semver/pull/559) show type on invalid semver error ([#559](https://togithub.com/npm/node-semver/issues/559)) ([@tjenkinson](https://togithub.com/tjenkinson))Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR has been generated by Mend Renovate. View repository job log here.