Dependency vulnerability - Semver package need to be updated

rearrange commented 1 year ago

I have a test automation repository that implements cypress-cucumber-preprocessor which depends on cucumber-js package. The GitHub Dependabot reported that the semver is vulnerable and suggested to upgrade it to semver v7.5.2 or later.

👓 What did you see?

This can be easily reproducible by installing cucumber-js using npm and then run npm audit. Example below:

✅ What did you expect to see?

No security error shown when running npm audit.
Able to install the latest version of cucumber-js.

📦 Which tool/library version are you using?

Cypress-cucumber-preprocessor v18.0.1 which depends on cucumber v9.1.0 or above.

🔬 How could we reproduce it?

Refer to second screenshot above.

Steps to reproduce the behavior:

Create a new folder
Install cucumber using npm - "npm install @cucumber/cucumber"
Once cucumber has been installed, run "npm audit".
Observe the security vulnerability warning as per screenshot

codetycon commented 1 year ago

@davidjgoss I checked the CHOR and found that code has been merged but the last release still missing this upgrade. See here:

https://github.com/cucumber/cucumber-js/blob/a03329c8eff6abe06185ab8ff8a619810f44dd96/package.json

davidjgoss commented 1 year ago

Released in https://github.com/cucumber/cucumber-js/releases/tag/v9.3.0

cucumber / cucumber-js