-
-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update to remove the vulnerability introduced by semver-regex? #8
Comments
Hi @sindresorhus , mind taking a look at this issue? |
That is not possible. |
I suggest upgrading |
The "vulnerability" is a bullshit vulnerability anyway. Not every bug is a security vulnerability. |
Repository owner
locked as resolved and limited conversation to collaborators
Mar 17, 2022
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Subject of the issue
find-versions@3.2.0 requires semver-regex@2.0.0, which has a security problem (see: SNYK-JS-SEMVERREGEX-1047770):
find-versions@3.2.0 ➔ semver-regex@2.0.0
I do not know if this vulnerability actually affects find-versions, but it will show up in security reports about dependencies. Since a large number of developers still use find-versions@3.2.*(1,762,377 downloads per week), is there any posibility that you could release an update version for 3.2.* (ie 3.2.1) that introduces a patched version(>=3.1.2) of semver-regex?
In find-versions@3.2.1, maybe you can perform the following update:
semver-regex ^2.0.0 ➔ ^3.1.2
where semver-regex@3.1.2(>=3.1.2) has fixed the vulnerability SNYK-JS-SEMVERREGEX-1047770.
The text was updated successfully, but these errors were encountered: