Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security advice semver #2119

Closed
NormandoHall opened this issue Jun 23, 2023 · 5 comments · Fixed by illbreakurcode/Notion-Highlights#7 · 4 remaining pull requests
Closed

Security advice semver #2119

NormandoHall opened this issue Jun 23, 2023 · 5 comments · Fixed by illbreakurcode/Notion-Highlights#7 · 4 remaining pull requests
Labels

Comments

@NormandoHall
Copy link

GHSA-c2qf-rxjj-qqgw

nodemon  1.4.10-alpha.1 - 1.4.10-alpha.3 || >=1.14.10
  Depends on vulnerable versions of semver
  Depends on vulnerable versions of simple-update-notifier
@wellwelwel
Copy link

wellwelwel commented Jun 25, 2023

A lot of packages use semver in versions earlier than 7.5.2.


I solved it temporally by:

YARN

package.json

"resolutions": {
  "**/semver": "^7.5.2"
}
  • Then
yarn install
  • Checking
yarn audit

NPM

package.json

"resolutions": {
  "semver": "7.5.2"
}
  • Then
npm i -D npm-force-resolutions
npx npm-force-resolutions
  • Checking
npm audit

@fluentmoheshwar
Copy link

A lot of packages use semver in versions earlier than 7.5.2.

I solved it temporally by:

YARN

package.json

"resolutions": {
  "**/semver": "^7.5.2"
}
  • Then
yarn install
  • Checking
yarn audit

NPM

package.json

"resolutions": {
  "semver": "7.5.2"
}
  • Then
npm i -D npm-force-resolutions
npx npm-force-resolutions
  • Checking
npm audit

you could also use (doesn't require npm-force-resolutions):

"overrides": {
        "semver": "7.5.2"
 }

grgomez added a commit to grgomez/play-beats-bot that referenced this issue Jun 28, 2023
@joaomoreno
Copy link

A better approach:

	"overrides": {
		"nodemon": {
			"simple-update-notifier": {
				"semver": "^7.5.2"
			}
		}
	}

@zang3tsu88
Copy link

A better approach:

	"overrides": {
		"nodemon": {
			"simple-update-notifier": {
				"semver": "^7.5.2"
			}
		}
	}

Thanks, but this one doesnt fix the issue. Out of 3 moderate vulnerabilities it leaves 2.
The previous one helped.

@github-actions
Copy link

github-actions bot commented Jul 8, 2023

🎉 This issue has been resolved in version 3.0.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment