New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Address vulnerable dependency: Semver < 7.5.2 #1019
Comments
#904 is related to this |
PROBLEMAS DE DEPENDÊNCIAS# npm audit report
semver <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install @commitlint/cli@8.2.0, which is a breaking change
node_modules/read-pkg/node_modules/semver
normalize-package-data <=2.5.0
Depends on vulnerable versions of semver
node_modules/read-pkg/node_modules/normalize-package-data
read-pkg <=5.2.0
Depends on vulnerable versions of normalize-package-data
node_modules/read-pkg
read-pkg-up <=7.0.1
Depends on vulnerable versions of read-pkg
node_modules/read-pkg-up
meow 3.4.0 - 9.0.0
Depends on vulnerable versions of read-pkg-up
node_modules/meow
conventional-commits-parser >=2.1.5
Depends on vulnerable versions of meow
node_modules/conventional-commits-parser
@commitlint/parse >=8.3.0
Depends on vulnerable versions of conventional-commits-parser
node_modules/@commitlint/parse
@commitlint/lint >=8.3.0
Depends on vulnerable versions of @commitlint/parse
node_modules/@commitlint/lint
git-raw-commits >=1.3.4
Depends on vulnerable versions of meow
node_modules/git-raw-commits
@commitlint/read >=8.3.0
Depends on vulnerable versions of git-raw-commits
node_modules/@commitlint/read
@commitlint/cli >=8.3.0
Depends on vulnerable versions of @commitlint/lint
Depends on vulnerable versions of @commitlint/read
node_modules/@commitlint/cli
11 moderate severity vulnerabilities
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force De todos as dependências listadas em meu Prompt, eu realizei uma consulta bastante manual para encontrar onde estava realmente o problema de versionamento. No momento da publicação dessa mensagem, as versões dos pacotes listados abaixo são:
CONCLUSÃOPor favor, faça um commit atualizando, pelo menos, a dependência |
It's not just related to that PR, there's also a transitive dependency that is very old which is
The issue is you can see below where
|
@dangreen are there any plans to update some of these super old dependencies in conventional-changelog? I see that #904 was merged but Related PRs
However, these PRs are failing (unit tests) because the PRs are trying to upgrade to recent version which are now ESM only, a working solution would be to upgrade |
@dangreen I think the release is missing to fix the vulnerability?
|
|
@escapedcat We need new releases for all packages to fix this vulnerability once and for all. |
@dangreen any way we could have a new release for |
Please update all dependencies to
semver
to at least7.5.2
. to address CVE-2022-25883.The text was updated successfully, but these errors were encountered: