Skip to content

Semver vulnerability in yarn.lock #253

New issue
New issue
Open
Open
Semver vulnerability in yarn.lock#253
@EelcoLos

Description

@EelcoLos
EelcoLos
opened on Jan 31, 2024

Describe the bug
dependency security advisory states the following multiple times (yarn audit does too):

moderate semver vulnerable to Regular Expression Denial of Service
Package semver
Patched in >=6.3.1
Dependency of jest
Path jest > jest-cli > @jest/core > @jest/reporters > istanbul-lib-instrument > @babel/core > semver
More info Advisory 1095366

To reproduce

run yarn audit

Expected behavior

To have no dependency vulnerabilities

Potential solution
When I tried to update all packages to the latest version, there were no issues. These do include major version updates though:

Package Old Version New Version
@actions/core ^1.10.0 ^1.10.1
@actions/github ^5.1.1 ^6.0.0
@semantic-release/changelog 6.0.2 6.0.3
@semantic-release/commit-analyzer 9.0.2 11.1.0
@semantic-release/github 8.0.7 9.2.6
@semantic-release/release-notes-generator 10.0.3 12.1.0
@vercel/ncc ^0.36.1 ^0.38.1
conventional-changelog-conventionalcommits 5.0.0 7.0.2
conventional-commits-parser ^3.2.4 ^5.0.0
eslint 8.36.0 8.56.0
eslint-config-molindo 6.0.0 7.0.0
jest 29.5.0 29.7.0
semantic-release ^19.0.5 ^23.0.0

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions