Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

semver vulnerable to Regular Expression Denial of Service #959

Closed
prince76007 opened this issue Sep 19, 2023 · 2 comments
Closed

semver vulnerable to Regular Expression Denial of Service #959

prince76007 opened this issue Sep 19, 2023 · 2 comments

Comments

@prince76007
Copy link

Issue Summary

semver <5.7.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - CVE-2022-25883 - GitHub Advisory Database
No fix available
node_modules/utf7/node_modules/semver
utf7 >=1.0.2
Depends on vulnerable versions of semver
node_modules/utf7
node-imap *
Depends on vulnerable versions of utf7
node_modules/node-imap

  • twilio-node version: ^4.16.0
  • node version: 18
@sbansla
Copy link
Contributor

sbansla commented Oct 12, 2023

Below shows the semver versions we are using
├─┬ @babel/[email protected]
│ ├─┬ @babel/[email protected]
│ │ └── [email protected] deduped
│ ├─┬ @babel/[email protected]
│ │ └── [email protected] deduped
│ ├─┬ [email protected]
│ │ ├─┬ @babel/[email protected]
│ │ │ └── [email protected] deduped
│ │ └── [email protected] deduped
│ └── [email protected]
├─┬ [email protected]
│ └─┬ @jest/[email protected]
│ ├─┬ @jest/[email protected]
│ │ ├─┬ [email protected]
│ │ │ └── [email protected] deduped
│ │ └─┬ [email protected]
│ │ └─┬ [email protected]
│ │ └── [email protected] deduped
│ └─┬ [email protected]
│ └── [email protected]
├─┬ [email protected]
│ └── [email protected]
└─┬ [email protected]
└── [email protected]

@sbansla sbansla mentioned this issue Oct 12, 2023
Merged
8 tasks
@sbansla
Copy link
Contributor

sbansla commented Oct 12, 2023

@prince76007 Thank you for informing us. We have upgraded the semver version. It was a transitive dependency for us.
Below is the PR. Closing this ticket, You can reopen it if you have questions.
#966

@sbansla sbansla closed this as completed Oct 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@prince76007 @sbansla