semver vulnerable to Regular Expression Denial of Service

[prince76007]

Issue Summary

semver <5.7.2 Severity: moderate semver vulnerable to Regular Expression Denial of Service - CVE-2022-25883 - GitHub Advisory Database No fix available node_modules/utf7/node_modules/semver utf7 >=1.0.2 Depends on vulnerable versions of semver node_modules/utf7 node-imap * Depends on vulnerable versions of utf7 node_modules/node-imap

• twilio-node version: ^4.16.0
• node version: 18

[sbansla]

Below shows the semver versions we are using ├─┬ @babel/preset-env@7.21.4 │ ├─┬ @babel/core@7.21.4 │ │ └── semver@6.3.0 deduped │ ├─┬ @babel/helper-compilation-targets@7.21.4 │ │ └── semver@6.3.0 deduped │ ├─┬ babel-plugin-polyfill-corejs2@0.3.3 │ │ ├─┬ @babel/helper-define-polyfill-provider@0.3.3 │ │ │ └── semver@6.3.0 deduped │ │ └── semver@6.3.0 deduped │ └── semver@6.3.0 ├─┬ jest@29.5.0 │ └─┬ @jest/core@29.5.0 │ ├─┬ @jest/reporters@29.5.0 │ │ ├─┬ istanbul-lib-instrument@5.2.1 │ │ │ └── semver@6.3.0 deduped │ │ └─┬ istanbul-lib-report@3.0.0 │ │ └─┬ make-dir@3.1.0 │ │ └── semver@6.3.0 deduped │ └─┬ jest-snapshot@29.5.0 │ └── semver@7.5.0 ├─┬ jsonwebtoken@9.0.2 │ └── semver@7.5.4 └─┬ ts-jest@29.1.0 └── semver@7.5.0

[sbansla]

@prince76007 Thank you for informing us. We have upgraded the semver version. It was a transitive dependency for us. Below is the PR. Closing this ticket, You can reopen it if you have questions. https://github.com/twilio/twilio-node/pull/966