search

remy / nodemon

Monitor for any changes in your node.js application and automatically restart the server - perfect for development
http://nodemon.io/
MIT License
26.21k stars 1.72k forks source link

Security advice semver #2119

Closed NormandoHall closed 1 year ago

NormandoHall commented 1 year ago

https://github.com/advisories/GHSA-c2qf-rxjj-qqgw

nodemon  1.4.10-alpha.1 - 1.4.10-alpha.3 || >=1.14.10
  Depends on vulnerable versions of semver
  Depends on vulnerable versions of simple-update-notifier
wellwelwel commented 1 year ago

A lot of packages use semver in versions earlier than 7.5.2.

I solved it temporally by:

YARN

package.json


"resolutions": {
"**/semver": "^7.5.2"
}
- Then
```sh
yarn install

NPM

package.json

"resolutions": {
"semver": "7.5.2"
}
fluentmoheshwar commented 1 year ago

A lot of packages use semver in versions earlier than 7.5.2.

I solved it temporally by:

YARN

package.json

"resolutions": {
  "**/semver": "^7.5.2"
}
  • Then
yarn install
  • Checking
yarn audit

NPM

package.json

"resolutions": {
  "semver": "7.5.2"
}
  • Then
npm i -D npm-force-resolutions
npx npm-force-resolutions
  • Checking
npm audit

you could also use (doesn't require npm-force-resolutions): 

"overrides": {
        "semver": "7.5.2"
 }
joaomoreno commented 1 year ago

A better approach:

    "overrides": {
        "nodemon": {
            "simple-update-notifier": {
                "semver": "^7.5.2"
            }
        }
    }
zang3tsu88 commented 1 year ago

A better approach:

  "overrides": {
      "nodemon": {
          "simple-update-notifier": {
              "semver": "^7.5.2"
          }
      }
  }

Thanks, but this one doesnt fix the issue. Out of 3 moderate vulnerabilities it leaves 2. The previous one helped.

github-actions[bot] commented 1 year ago

:tada: This issue has been resolved in version 3.0.0 :tada:

The release is available on:

Your semantic-release bot :package::rocket: