Closed fhemberger closed 8 years ago
@othiym23 as you just did the recent release, I thought I'd ask again if it's possible to fix this … You already landed the change in npm itself 18 months ago.
@fhemberger Because npm-registry-client
is used in a variety of places, and it's important that it be compatible with the version of semver
included in those places (like the CLI itself), the CLI team will be leaving that dependency as it stands. Users of nsp
or snyk
will receive advisories that they're using a vulnerable version of semver
, and new installers should get the latest version of semver@4
, mitigating the vulnerability. Thanks for your time, though!
Is it possible to update the registry client to semver@4.3.2 and remove v2 and v3 from package.json, because of the ReDos vulnerability?