Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move to semver >= 7.5.2 #16139

Closed
aboktor opened this issue Jun 26, 2023 · 0 comments
Closed

Move to semver >= 7.5.2 #16139

aboktor opened this issue Jun 26, 2023 · 0 comments

Comments

@aboktor
Copy link
Contributor

aboktor commented Jun 26, 2023

Work Item

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range. https://nvd.nist.gov/vuln/detail/CVE-2022-25883
@tyler-cai-microsoft tyler-cai-microsoft mentioned this issue Jun 30, 2023
Merged
tyler-cai-microsoft added a commit that referenced this issue Jun 30, 2023
@tyler-cai-microsoft
Component governance - update semver to 7.5.2 or greater (#16212)
c6758c8 
#16139

Component governance, there is a security vulnerability with semver.
Upgrade semver to remove the security vulnerability.
@Abe27342 Abe27342 closed this as completed Jul 3, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Abe27342 @aboktor