Semver ~5.0.3 has vulnerability

twolfson / spritesmith

Utility that takes sprites and converts them into a stylesheet and its coordinates

MIT License

914 stars 56 forks source link

Semver ~5.0.3 has vulnerability #92

Closed gun0317 closed 2 weeks ago

gun0317 commented 1 year ago

semver of version under 5.7.2 has vulnerability - Regular Expression Denial of Service (ReDoS) https://security.snyk.io/package/npm/semver

Please consider upgrading semver to 5.7.2 as this version fixes the issue.

twolfson commented 1 year ago

My bandwidth is somewhat limited at the moment. Do you mind creating a PR and testing it?

ChrisdeWolf commented 2 weeks ago

Opened a PR for this - https://github.com/twolfson/spritesmith/pull/95

twolfson commented 2 weeks ago

The fix from @ChrisdeWolf in #95 has been released in 3.5.0. Changes should auto-propagate to gulp.spritesmith and grunt-spritesmith. Thanks for all your work y'all!