ds300 / patch-package

Fix broken node modules instantly 🏃🏽‍♀️💨

MIT License

10.26k stars 287 forks source link

Closed s100 closed 1 year ago

s100 commented 1 year ago

patch-package depends on semver@^5.6.0, which is vulnerable to CVE-2022-25883. This can be fixed by upgrading to semver@7.5.3 or later.

toastwaffle commented 1 year ago

466 would fix this

rsanchez commented 1 year ago

Noting that #466 does not fix this, since that only bumps the semver version to 7.0.0, and not 7.5.3 or above.

s100 commented 1 year ago

Fixed in patch-package@7.0.1.