[deps] Bump up local instance of `semver` package due to GHSA-c2qf-rxjj-qqgw - Githubissues

jasongin / nvs

Node Version Switcher - A cross-platform tool for switching between versions and forks of Node.js

Other

2.72k stars 210 forks source link

[deps] Bump up local instance of `semver` package due to GHSA-c2qf-rxjj-qqgw #283

Closed alexander-smolyakov closed 1 year ago

alexander-smolyakov commented 1 year ago

Description:

Security scanners alerted that the nvs tool contains a vulnerable version of the semver package.

The nvs contains a local instance of the smever v5.4.1 in the deps folder. This version is vulnerable to Regular Expression Denial of Service (ReDoS). According to the GitHub Advisory, updating the package to version 5.7.2 should remediate the vulnerability.

Link to related semver release: https://github.com/npm/node-semver/releases/tag/v5.7.2

Changelog:

The semver package updated to v5.7.2 (5.4.1 -> 5.7.2)

alexander-smolyakov commented 1 year ago

Hey @jasongin, could you please take a look at this PR?