You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As of today (03 July 2023), running npm audit on a project that uses npm-run-all2 results in the following audit report:
npm audit report
semver <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw
No fix available
node_modules/eslint-plugin-import/node_modules/semver
node_modules/semver
eslint-plugin-import >=2.27.4
Depends on vulnerable versions of semver
node_modules/eslint-plugin-import
normalize-package-data <=2.5.0
Depends on vulnerable versions of semver
node_modules/normalize-package-data
read-pkg <=5.2.0
Depends on vulnerable versions of normalize-package-data
node_modules/read-pkg
npm-run-all2 *
Depends on vulnerable versions of read-pkg
node_modules/npm-run-all2
Trying npm audit fix --force does not work, at least not for me.
Need to go through and do some updates to some packages that went esm only. Unfortunately this is non-trivial, so I haven't had time. A PR would be appreciated here if you need this asap. The vulns are not an issue for these us cases however.
As of today (03 July 2023), running npm audit on a project that uses npm-run-all2 results in the following audit report:
npm audit report
semver <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw
No fix available
node_modules/eslint-plugin-import/node_modules/semver
node_modules/semver
eslint-plugin-import >=2.27.4
Depends on vulnerable versions of semver
node_modules/eslint-plugin-import
normalize-package-data <=2.5.0
Depends on vulnerable versions of semver
node_modules/normalize-package-data
read-pkg <=5.2.0
Depends on vulnerable versions of normalize-package-data
node_modules/read-pkg
npm-run-all2 *
Depends on vulnerable versions of read-pkg
node_modules/npm-run-all2
Trying npm audit fix --force does not work, at least not for me.
A fix for semver is available: https://github.com/npm/node-semver/releases/tag/v7.5.3
Please update npm-run-all's dependency tree to address this vulnerability.
The text was updated successfully, but these errors were encountered: