Bump semver to version ^7.5.3 to resolve CVE-2022-25883

ds300 / patch-package

Fix broken node modules instantly 🏃🏽‍♀️💨

MIT License

10.26k stars 287 forks source link

Bump semver to version ^7.5.3 to resolve CVE-2022-25883 #477

Closed rsanchez closed 1 year ago

rsanchez commented 1 year ago

https://github.com/advisories/GHSA-c2qf-rxjj-qqgw

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Fixes #475

jayarjo commented 1 year ago

When release with this?

GraceDmello commented 1 year ago

@ds300 Can we please release this version ?

ds300 commented 1 year ago

just released in 7.0.2