search

remy / nodemon

Monitor for any changes in your node.js application and automatically restart the server - perfect for development
http://nodemon.io/
MIT License
26.13k stars 1.72k forks source link

Issue on a dependency - CVE-2022-25883 #2150

Closed Reni88 closed 6 months ago

Reni88 commented 7 months ago

Hi,

Good day. Just wanted to inform that we encountered a security issue on one of nodemon dependency for its version 2.0.22:

Dependency: semver Version: 7.0.0

It is raised under this CVE ID: CVE-2022-25883

If this was already discussed and resolution was already delivered. Let us know. Thank you.

remy commented 7 months ago

This is strange, because nodemon has been using semver@^7.5.3 for over 6 months (as you can see from this commit back in June: https://github.com/remy/nodemon/commit/083b4a6c3e0cd12605c47d5837499edf9b4f81b2 ).

Are you sure or is this just a random generated output from your command line that happens to be out of date?

github-actions[bot] commented 6 months ago

This issue has been automatically marked as idle and stale because it hasn't had any recent activity. It will be automtically closed if no further activity occurs. If you think this is wrong, or the problem still persists, just pop a reply in the comments and @remy will (try!) to follow up. Thank you for contributing <3

Reni88 commented 6 months ago

Hi @remy, thank you for the response. Yes, we concluded that we are not using the version with that commit. We will update the package to include this. Thank you again!