Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(semver): update semver to latest version to correct vulnerability #3597

Closed
wants to merge 2 commits into from

Conversation

blabute
Copy link

@blabute blabute commented Jul 7, 2023

Snyk reported a vulnerability with this version of semver. See https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795. This change updates to the latest version to correct the issue.

It also updates the engine to be greater than 10 due to an issue in a check.

@blabute
Copy link
Author

blabute commented Jul 7, 2023

Seeing some other PRs failing due to this vulnerability: #3593

@blabute
Copy link
Author

blabute commented Jul 7, 2023

Looks like https://iojs.org/ is also unavailable at the moment which is causing some checks to fail. Should we just update this url to be https://nodejs.org/ per nodejs/iojs.org#432 (comment)?

@ljharb can you help with this?

@ljharb
Copy link
Member

ljharb commented Jul 7, 2023

It’s not a vulnerability here - like most transitive dep CVEs, it’s a false positive - and we can’t upgrade because v7 drops support for engines we need to support.

Duplicate of #3589.

@ljharb ljharb closed this Jul 7, 2023
@ljharb
Copy link
Member

ljharb commented Jul 7, 2023

Upgrading the engines would be a breaking change, as well, and that's just not something we'll likely ever do.

@blabute
Copy link
Author

blabute commented Jul 10, 2023

Upgrading the engines would be a breaking change, as well, and that's just not something we'll likely ever do.

Thanks for the reply! Node 4 security support ended in April 2018. Are you thinking this package will always support those legacy versions of Node?

@ljharb
Copy link
Member

ljharb commented Jul 10, 2023

Yes, platform support has no bearing on ecosystem support.

Either way, the semver maintainers are backporting the fix to v6, so there’s nothing that needs to be done to address this false positive but wait.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

2 participants