electron / node-abi

:turtle: :rocket: Get the Node.js and Electron ABI for a given target and runtime
https://www.npmjs.com/node-abi
MIT License
164 stars 58 forks source link

Semver Dependency - CVE-2022-25883 Vulnerability #158

Closed 7emretelli closed 10 months ago

7emretelli commented 10 months ago

Hi! 👋

Firstly, thanks for your work on this project! 🙂

Today I used patch-package to patch node-abi@3.52.0 for the project I'm working on.

Semver, the dependent of the node-abi package has CVE-2022-25883 vulnerability. After carefully comparing 7.3.5 and 7.5.3 versions of the semver, concluded on there is no code updates needed but only version of semver need to be updated for node-abi.

NPM Audit: https://github.com/advisories/GHSA-c2qf-rxjj-qqgw

Here is the diff that solved my problem:

diff --git a/node_modules/node-abi/package.json b/node_modules/node-abi/package.json
index 1f462bf..1bc9e4e 100644
--- a/node_modules/node-abi/package.json
+++ b/node_modules/node-abi/package.json
@@ -32,7 +32,7 @@
     "tape": "^5.3.1"
   },
   "dependencies": {
-    "semver": "^7.3.5"
+    "semver": "^7.5.3"
   },
   "engines": {
     "node": ">=10"

This issue body was partially generated by patch-package.

MarshallOfSound commented 10 months ago

You don't need to use patch-package for this, those semver ranges are compatible and result in the same version being installed