Our meow
dependency (which we use for our CLI) depended on [email protected]
. A vulnerability in this version of semver
was recently identified and surfaced by npm audit
:
Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
Original post by the reporter:
"my npm audit show the report
semver <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
No fix available
And my dependencies tree for semver show your package
โโโฌ [email protected]
โ โโโฌ [email protected]
โ โโโฌ [email protected]
โ โโโฌ [email protected]
โ โโโฌ [email protected]
โ โโโ [email protected] deduped
I found that [email protected] contains normalize-package-data@5 and I can fix this vulnerability because it uses semver@7. But I canโt update meow to the new major version because your package doesnโt allow it."
Update your package to use the โmeowโ version >=10"
N/A
We anticipate the impact to be low as Stylelint is a dev tool and meow
is only used on the CLI pathway.
โฌ๏ธ EDITED AFTER PUBLISHED โฌ๏ธ
semver
versionsThe same security fix has been backported to older semver
versions of 5.x and 6.x. See the CVE-2022-25883 details.
So, you can fix this vulnerability by just updating semver
in your projectโs dependency tree, instead of updating stylelint
. For details, see the example:
package.json
:
{
"dependencies": {
"stylelint": "15.10.0"
}
}
Run npm audit
(here is no alert for semver
):
$ npm ci
...
$ npm audit
...
stylelint 8.0.0 - 15.10.0
Stylelint has vulnerability in semver dependency - https://github.com/advisories/GHSA-f7xj-rg7h-mc87
fix available via `npm audit fix --force`
Will install [email protected], which is outside the stated dependency range
node_modules/stylelint
1 low severity vulnerability
...
$ npm ls semver
...
โโโฌ [email protected]
โโโฌ [email protected]
โโโฌ [email protected]
โ โโโ [email protected]
โโโฌ [email protected]
โโโฌ [email protected]
โโโฌ [email protected]
โโโ [email protected]