Closed Nicholas-Arthur-Cook closed 1 year ago
Hello @Nicholas-Arthur-Cook,
Thank you for the contribution.
As an aside the most recent version of this pacakge is already using 7.5.4. Development has moved to: https://github.com/launchdarkly/js-core/tree/main/packages/sdk/server-node
And the package is now @launchdarkly/node-server-sdk
.
Relevant package.json: https://github.com/launchdarkly/js-core/blob/36eb906e4cb77277b0d11ffb2488050c87b41026/packages/shared/sdk-server/package.json#L32C22-L32C22
The 7.x SDK has long term support, so bumping the minimum here will still be done.
It is worth noting that it isn't pinned to a minor, so an actual install will likely have a newer version, unless a package lock is forcing this version.
Thanks, Ryan
@Nicholas-Arthur-Cook Released in 7.0.3.
Requirements
Related issues
CVE-2022-25883
Describe the solution you've provided
The security warning CVE-2022-25883 mentions that there was a ReDos through semver's Range function, which is not used in this codebase. However, having the old version causes security warnings for tools that use the
launchdarkly-node-server-sdk
npm package.Describe alternatives you've considered
An alternative is waiting for the LaunchDarkly SDK team to update this themselves, or to open an issue to track this, but since it's a minor patch bump, I thought this was the most convenient way.
Additional context
n/a