semver-regex vulnerability

[jstirnaman]

CVE-2021-3795 moderate severity Vulnerable versions: < 3.1.3 Patched version: 3.1.3 npm semver-regex is vulnerable to Inefficient Regular Expression Complexity

updater | I, [2021-09-20T23:05:57.040999 #7] INFO -- sentry: ** [Raven] Raven 3.1.2 ready to catch errors updater | warning: parser/current is loading parser/ruby27, which recognizes updater | warning: 2.7.4-compliant syntax, but you are running 2.7.1. updater | warning: please see https://github.com/whitequark/parser#compatibility-with-ruby-mri. updater | INFO Starting job processing updater | INFO Starting update job for influxdata/docs-v2 updater | INFO Checking if semver-regex 2.0.0 needs updating proxy | 2021/09/20 23:06:00 [014] GET https://registry.npmjs.org:443/semver-regex proxy | 2021/09/20 23:06:00 [014] 200 https://registry.npmjs.org:443/semver-regex proxy | 2021/09/20 23:06:00 [016] GET https://registry.npmjs.org:443/semver-regex/3.1.3 updater | INFO Latest version is 3.1.3 proxy | 2021/09/20 23:06:00 [016] 200 https://registry.npmjs.org:443/semver-regex/3.1.3 proxy | 2021/09/20 23:06:04 [018] GET https://registry.yarnpkg.com:443/semver-regex proxy | 2021/09/20 23:06:04 [018] 200 https://registry.yarnpkg.com:443/semver-regex updater | INFO Requirements to unlock update_not_possible updater | INFO Requirements update strategy bump_versions updater | INFO The latest possible version that can be installed is 2.0.0 because of the following conflicting dependency: updater | updater | hugo-extended@0.83.1 requires semver-regex@^2.0.0 via a transitive dependency on find-versions@3.2.0 updater | INFO The earliest fixed version is 3.1.3. updater | INFO Finished job processing updater | time="2021-09-20T23:06:06Z" level=info msg="task complete" container_id=job-207053177-updater exit_code=0 job_id=207053177 step=updater

[RyanZim]

This dependency alert isn't even for postcss-cli, it's for hugo-extended.

[jstirnaman]

Sorry.