Security scanners alerted that the nvs tool contains a vulnerable version of the semver package.
The nvs contains a local instance of the smever v5.4.1 in the deps folder. This version is vulnerable to Regular Expression Denial of Service (ReDoS). According to the GitHub Advisory, updating the package to version 5.7.2 should remediate the vulnerability.
Description:
Security scanners alerted that the
nvs
tool contains a vulnerable version of thesemver
package.The
nvs
contains a local instance of thesmever v5.4.1
in thedeps
folder. This version is vulnerable to Regular Expression Denial of Service (ReDoS). According to the GitHub Advisory, updating the package to version 5.7.2 should remediate the vulnerability.Link to related
semver
release: https://github.com/npm/node-semver/releases/tag/v5.7.2Changelog:
semver
package updated tov5.7.2
(5.4.1
->5.7.2
)