search

postmanlabs / postman-code-generators

Common repository for all code generators shipped with Postman
Apache License 2.0
981 stars 348 forks source link

[Security] semver (dependency) vulnerable to Regular Expression Denial of Service #733

Open KareemMAX opened 3 months ago

KareemMAX commented 3 months ago

Describe the bug This package is dependent on an old version of postman-collection which is dependent on a vulnerable semver version.

To Reproduce When running npm audit the following output appears:

semver  7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install postman-code-generators@1.0.2, which is a breaking change
node_modules/postman-collection/node_modules/semver
  postman-collection  3.6.0-beta.1 - 4.1.7
  Depends on vulnerable versions of semver
  node_modules/postman-collection
    postman-code-generators  >=1.1.0
    Depends on vulnerable versions of postman-collection
    node_modules/postman-code-generators

3 moderate severity vulnerabilities

Fix suggestion Update postman-collection to version 4.4.0.

Additional context