fhemberger
commented
8 years ago @othiym23 as you just did the recent release, I thought I'd ask again if it's possible to fix this … You already landed the change in npm itself 18 months ago.
Closed fhemberger closed 8 years ago
fhemberger
commented
8 years ago @othiym23 as you just did the recent release, I thought I'd ask again if it's possible to fix this … You already landed the change in npm itself 18 months ago.
othiym23
commented
8 years ago @fhemberger Because npm-registry-client is used in a variety of places, and it's important that it be compatible with the version of semver included in those places (like the CLI itself), the CLI team will be leaving that dependency as it stands. Users of nsp or snyk will receive advisories that they're using a vulnerable version of semver, and new installers should get the latest version of semver@4, mitigating the vulnerability. Thanks for your time, though!
Is it possible to update the registry client to semver@4.3.2 and remove v2 and v3 from package.json, because of the ReDos vulnerability?