Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security advice semver #2119

Closed
NormandoHall opened this issue Jun 23, 2023 · 5 comments · Fixed by illbreakurcode/Notion-Highlights#7 · 4 remaining pull requests
Closed

Security advice semver #2119

NormandoHall opened this issue Jun 23, 2023 · 5 comments · Fixed by illbreakurcode/Notion-Highlights#7 · 4 remaining pull requests
Labels
released

Comments

@NormandoHall
Copy link

GHSA-c2qf-rxjj-qqgw

nodemon  1.4.10-alpha.1 - 1.4.10-alpha.3 || >=1.14.10
  Depends on vulnerable versions of semver
  Depends on vulnerable versions of simple-update-notifier
@wellwelwel
Copy link

wellwelwel commented Jun 25, 2023
edited
Loading

A lot of packages use semver in versions earlier than 7.5.2.

I solved it temporally by:

YARN

package.json

"resolutions": {
  "**/semver": "^7.5.2"
}
  • Then
yarn install
  • Checking
yarn audit

NPM

package.json

"resolutions": {
  "semver": "7.5.2"
}
  • Then
npm i -D npm-force-resolutions
npx npm-force-resolutions
  • Checking
npm audit

mjfwebb added a commit to mjfwebb/twitch-bot that referenced this issue Jun 25, 2023
@mjfwebb
chore: add semver 7.5.2 resolution
3e05510 
There are 3 moderate severity vulnerabilities otherwise

ref: remy/nodemon#2119
@wellwelwel wellwelwel mentioned this issue Jun 25, 2023
Merged
@alexbrazier alexbrazier mentioned this issue Jun 26, 2023
Merged
@fluentmoheshwar
Copy link

A lot of packages use semver in versions earlier than 7.5.2.

I solved it temporally by:

YARN

package.json

"resolutions": {
  "**/semver": "^7.5.2"
}
  • Then
yarn install
  • Checking
yarn audit

NPM

package.json

"resolutions": {
  "semver": "7.5.2"
}
  • Then
npm i -D npm-force-resolutions
npx npm-force-resolutions
  • Checking
npm audit

you could also use (doesn't require npm-force-resolutions):

"overrides": {
        "semver": "7.5.2"
 }

grgomez added a commit to grgomez/play-beats-bot that referenced this issue Jun 28, 2023
@grgomez
Fixed vulnerabilities issue by setting override to install latest ver…
b36736a 
…sion of semver. Solution: remy/nodemon#2119
@joaomoreno
Copy link

A better approach:

	"overrides": {
		"nodemon": {
			"simple-update-notifier": {
				"semver": "^7.5.2"
			}
		}
	}

@zang3tsu88
Copy link

A better approach:

	"overrides": {
		"nodemon": {
			"simple-update-notifier": {
				"semver": "^7.5.2"
			}
		}
	}

Thanks, but this one doesnt fix the issue. Out of 3 moderate vulnerabilities it leaves 2.
The previous one helped.

@remy remy closed this as completed in 6bb8766 Jul 7, 2023
@fluentmoheshwar fluentmoheshwar mentioned this issue Jul 8, 2023
Closed
@github-actions
Copy link

github-actions bot commented Jul 8, 2023

🎉 This issue has been resolved in version 3.0.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

@zang3tsu88 zang3tsu88 mentioned this issue Aug 13, 2023
Merged
This was referenced Jun 8, 2024
Open
Open
@YoutacRandS-VA YoutacRandS-VA mentioned this issue Jun 20, 2024
Open
@hiterharris hiterharris mentioned this issue Jul 7, 2024
Closed
@WontonSam WontonSam mentioned this issue Jul 16, 2024
Open
This was referenced Jul 16, 2024
Open
Open
Open
@metju90 metju90 mentioned this issue Jul 17, 2024
Open
This was referenced Jul 18, 2024
Open
Open
Open
Open
@snyk-io snyk-io bot mentioned this issue Jul 27, 2024
Open
@andrusha89 andrusha89 mentioned this issue Aug 5, 2024
Open
@illbreakurcode illbreakurcode mentioned this issue Aug 9, 2024
Open
@BlackPeter13 BlackPeter13 mentioned this issue Aug 13, 2024
Closed
@snyk-io snyk-io bot mentioned this issue Aug 24, 2024
Open
@illbreakurcode illbreakurcode mentioned this issue Sep 6, 2024
Merged
@WontonSam WontonSam mentioned this issue Sep 8, 2024
Open
@WontonSam WontonSam mentioned this issue Sep 19, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Snyk] Upgrade nodemon from 3.0.0 to 3.1.4 illbreakurcode/Notion-Highlights
[Snyk] Upgrade nodemon from 2.0.19 to 3.1.0 WontonSam/savyon-api
[Snyk] Upgrade nodemon from 2.0.19 to 3.1.0 WontonSam/haikus-for-codespaces
[Snyk] Upgrade nodemon from 1.19.4 to 3.1.2 YoutacRandS-VA/idurar-erp-crm
[Snyk] Upgrade nodemon from 1.19.1 to 3.1.4 WontonSam/xbox-clips-node-server
[Snyk] Upgrade nodemon from 1.19.4 to 3.1.4 WontonSam/Phiahplay-gaming
[Snyk] Upgrade nodemon from 2.0.19 to 3.1.4 WontonSam/haikus-for-codespaces
[Snyk] Upgrade nodemon from 1.19.4 to 3.1.4 WontonSam/Phiahplay-gaming
[Snyk-dev] Upgrade nodemon from 3.0.0 to 3.1.4 metju90/Postcodes
[Snyk] Upgrade nodemon from 1.19.1 to 3.1.4 WontonSam/xbox-clips-node-server
5 participants
@joaomoreno @NormandoHall @zang3tsu88 @wellwelwel @fluentmoheshwar