New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: better handling of whitespace #564
Conversation
0dcb021
to
fc08341
Compare
fc08341
to
b6db78d
Compare
Snyk reported that this PR fixed a vulnerability in semver 7.5.1: https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795 According to Snyk, it looks like semver 5.7.1 has the same issue. It seems a lot of packages still depend on semver 5.x. Is there any chance of applying this fix in a 5.7.2 release as well? (I looked but I didn't see a 5.x branch in this repo) |
@lukekarrys @wraithgar |
At this time, seeing as how v5/6 is a single 1400+ line file with outdated testing deps and no working CI we do not have plans to backport this. |
@wraithgar, while I totally side with you on this, it's much more difficult to bulk upgrade semver to v7 across deep dependency trees of even medium side projects. We have 10+ usages of it just in microsoft/vscode. This is a compliment: semver is very popular and its usage is widespread. We thank you for this library! ❤️ That being said, we like to put our commits where our mouth is. I've backported the fix to v5: https://github.com/npm/node-semver/compare/v5.7.1...joaomoreno:joao/backport-564-to-v5?expand=1. I've also fixed the test suites and added the relevant test cases, all green: https://asciinema.org/a/593286. I hope you can consider this for releasing an eventual 5.7.2 version, given your review. If successful, I would gladly backport the same fix to v6. I can't quite create a PR, since there's no v5 branch to upstream against. If you'd like to roll this forward, let's create a v5 branch and we'll create a PR from my ref. |
That would be amazing; semver v7's dropping of node versions means i'm stuck on v6 for basically ever on dozens of packages. |
The babel team has also stated that they'd fork v6 to fix the issue. babel/babel#15720 (comment) |
This is great, we really appreciate the effort! ❤️ Here's my PR for v5: #585 |
I will open a PR later for v6, thank you! |
@nicolo-ribaudo the If you'd like to try to get all of them in your PR go for it 😄 Otherwise just the fix your have in your fork would be great! |
I appreciate all of your efforts to backport patches to versions that are over 3 years old. |
<p>This PR was automatically created by Snyk using the credentials of a real user.</p><br /><h3>Snyk has created this PR to upgrade semver from 7.5.2 to 7.5.3.</h3> :information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project. <hr/> - The recommended version is **1 version** ahead of your current version. - The recommended version was released **a month ago**, on 2023-06-22. <details> <summary><b>Release notes</b></summary> <br/> <details> <summary>Package name: <b>semver</b></summary> <ul> <li> <b>7.5.3</b> - <a href="https://snyk.io/redirect/github/npm/node-semver/releases/tag/v7.5.3">2023-06-22</a></br><h2><a href="https://snyk.io/redirect/github/npm/node-semver/compare/v7.5.2...v7.5.3">7.5.3</a> (2023-06-22)</h2> <h3>Bug Fixes</h3> <ul> <li><a href="https://snyk.io/redirect/github/npm/node-semver/commit/abdd93d55496d22e3c15a454a5cf13f101e48bce"><code>abdd93d</code></a> <a href="https://snyk.io/redirect/github/npm/node-semver/pull/571" data-hovercard-type="pull_request" data-hovercard-url="/npm/node-semver/pull/571/hovercard">#571</a> set max lengths in regex for numeric and build identifiers (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="1770283620" data-permission-text="Title is private" data-url="npm/node-semver#571" data-hovercard-type="pull_request" data-hovercard-url="/npm/node-semver/pull/571/hovercard" href="https://snyk.io/redirect/github/npm/node-semver/pull/571">#571</a>) (<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/lukekarrys/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://snyk.io/redirect/github/lukekarrys">@ lukekarrys</a>)</li> </ul> <h3>Documentation</h3> <ul> <li><a href="https://snyk.io/redirect/github/npm/node-semver/commit/bf53dd8da15a17eb6b8111115d0d8ef341fea5db"><code>bf53dd8</code></a> <a href="https://snyk.io/redirect/github/npm/node-semver/pull/569" data-hovercard-type="pull_request" data-hovercard-url="/npm/node-semver/pull/569/hovercard">#569</a> add example for <code>></code> comparator (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="1760207342" data-permission-text="Title is private" data-url="npm/node-semver#569" data-hovercard-type="pull_request" data-hovercard-url="/npm/node-semver/pull/569/hovercard" href="https://snyk.io/redirect/github/npm/node-semver/pull/569">#569</a>) (<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/mbtools/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://snyk.io/redirect/github/mbtools">@ mbtools</a>)</li> </ul> </li> <li> <b>7.5.2</b> - <a href="https://snyk.io/redirect/github/npm/node-semver/releases/tag/v7.5.2">2023-06-15</a></br><h2><a href="https://snyk.io/redirect/github/npm/node-semver/compare/v7.5.1...v7.5.2">7.5.2</a> (2023-06-15)</h2> <h3>Bug Fixes</h3> <ul> <li><a href="https://snyk.io/redirect/github/npm/node-semver/commit/58c791f40ba8cf4be35a5ca6644353ecd6249edc"><code>58c791f</code></a> <a href="https://snyk.io/redirect/github/npm/node-semver/pull/566" data-hovercard-type="pull_request" data-hovercard-url="/npm/node-semver/pull/566/hovercard">#566</a> diff when detecting major change from prerelease (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="1759184862" data-permission-text="Title is private" data-url="npm/node-semver#566" data-hovercard-type="pull_request" data-hovercard-url="/npm/node-semver/pull/566/hovercard" href="https://snyk.io/redirect/github/npm/node-semver/pull/566">#566</a>) (<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/lukekarrys/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://snyk.io/redirect/github/lukekarrys">@ lukekarrys</a>)</li> <li><a href="https://snyk.io/redirect/github/npm/node-semver/commit/5c8efbcb3c6c125af10746d054faff13e8c33fbd"><code>5c8efbc</code></a> <a href="https://snyk.io/redirect/github/npm/node-semver/pull/565" data-hovercard-type="pull_request" data-hovercard-url="/npm/node-semver/pull/565/hovercard">#565</a> preserve build in raw after inc (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="1758105410" data-permission-text="Title is private" data-url="npm/node-semver#565" data-hovercard-type="pull_request" data-hovercard-url="/npm/node-semver/pull/565/hovercard" href="https://snyk.io/redirect/github/npm/node-semver/pull/565">#565</a>) (<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/lukekarrys/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://snyk.io/redirect/github/lukekarrys">@ lukekarrys</a>)</li> <li><a href="https://snyk.io/redirect/github/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441"><code>717534e</code></a> <a href="https://snyk.io/redirect/github/npm/node-semver/pull/564" data-hovercard-type="pull_request" data-hovercard-url="/npm/node-semver/pull/564/hovercard">#564</a> better handling of whitespace (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="1757995222" data-permission-text="Title is private" data-url="npm/node-semver#564" data-hovercard-type="pull_request" data-hovercard-url="/npm/node-semver/pull/564/hovercard" href="https://snyk.io/redirect/github/npm/node-semver/pull/564">#564</a>) (<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/lukekarrys/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://snyk.io/redirect/github/lukekarrys">@ lukekarrys</a>)</li> </ul> </li> </ul> from <a href="https://snyk.io/redirect/github/npm/node-semver/releases">semver GitHub release notes</a> </details> </details> <details> <summary><b>Commit messages</b></summary> </br> <details> <summary>Package name: <b>semver</b></summary> <ul> <li><a href="https://snyk.io/redirect/github/npm/node-semver/commit/7fdf1ef223826b428d7f8aaf906e9eeefa9469f9">7fdf1ef</a> chore: release 7.5.3</li> <li><a href="https://snyk.io/redirect/github/npm/node-semver/commit/bf53dd8da15a17eb6b8111115d0d8ef341fea5db">bf53dd8</a> docs: add example for `>` comparator (#569)</li> <li><a href="https://snyk.io/redirect/github/npm/node-semver/commit/abdd93d55496d22e3c15a454a5cf13f101e48bce">abdd93d</a> fix: set max lengths in regex for numeric and build identifiers (#571)</li> </ul> <a href="https://snyk.io/redirect/github/npm/node-semver/compare/e7b78de06eb14a7fa2075cedf9f167040d8d31af...7fdf1ef223826b428d7f8aaf906e9eeefa9469f9">Compare</a> </details> </details> <hr/> **Note:** *You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.* For more information: <img src="https://api.segment.io/v1/pixel/track?data=eyJ3cml0ZUtleSI6InJyWmxZcEdHY2RyTHZsb0lYd0dUcVg4WkFRTnNCOUEwIiwiYW5vbnltb3VzSWQiOiJiMWEyMTY5MS04NWI3LTQ1MjMtOWM5ZS1hYjU3OTdjOWFkZDciLCJldmVudCI6IlBSIHZpZXdlZCIsInByb3BlcnRpZXMiOnsicHJJZCI6ImIxYTIxNjkxLTg1YjctNDUyMy05YzllLWFiNTc5N2M5YWRkNyJ9fQ==" width="0" height="0"/> 🧐 [View latest project report](https://app.snyk.io/org/manuelfidalgo/project/1e476a2c-f968-4574-8a48-a93a0982eecc?utm_source=github&utm_medium=referral&page=upgrade-pr) 🛠 [Adjust upgrade PR settings](https://app.snyk.io/org/manuelfidalgo/project/1e476a2c-f968-4574-8a48-a93a0982eecc/settings/integration?utm_source=github&utm_medium=referral&page=upgrade-pr) 🔕 [Ignore this dependency or unsubscribe from future upgrade PRs](https://app.snyk.io/org/manuelfidalgo/project/1e476a2c-f968-4574-8a48-a93a0982eecc/settings/integration?pkg=semver&utm_source=github&utm_medium=referral&page=upgrade-pr#auto-dep-upgrades) <!--- (snyk:metadata:{"prId":"b1a21691-85b7-4523-9c9e-ab5797c9add7","prPublicId":"b1a21691-85b7-4523-9c9e-ab5797c9add7","dependencies":[{"name":"semver","from":"7.5.2","to":"7.5.3"}],"packageManager":"npm","type":"auto","projectUrl":"https://app.snyk.io/org/manuelfidalgo/project/1e476a2c-f968-4574-8a48-a93a0982eecc?utm_source=github&utm_medium=referral&page=upgrade-pr","projectPublicId":"1e476a2c-f968-4574-8a48-a93a0982eecc","env":"prod","prType":"upgrade","vulns":[],"issuesToFix":[],"upgrade":[],"upgradeInfo":{"versionsDiff":1,"publishedDate":"2023-06-22T21:53:19.774Z"},"templateVariants":[],"hasFixes":false,"isMajorUpgrade":false,"isBreakingChange":false,"priorityScoreList":[]}) ---> Co-authored-by: snyk-bot <snyk-bot@snyk.io>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Update
No description provided.