Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security advice semver #2119

Closed
NormandoHall opened this issue Jun 23, 2023 · 5 comments
Closed

Security advice semver #2119

NormandoHall opened this issue Jun 23, 2023 · 5 comments
Labels
released

Comments

@NormandoHall
Copy link

GHSA-c2qf-rxjj-qqgw

nodemon  1.4.10-alpha.1 - 1.4.10-alpha.3 || >=1.14.10
  Depends on vulnerable versions of semver
  Depends on vulnerable versions of simple-update-notifier
@wellwelwel
Copy link

wellwelwel commented Jun 25, 2023
edited

A lot of packages use semver in versions earlier than 7.5.2.

I solved it temporally by:

YARN

package.json

"resolutions": {
  "**/semver": "^7.5.2"
}
  • Then
yarn install
  • Checking
yarn audit

NPM

package.json

"resolutions": {
  "semver": "7.5.2"
}
  • Then
npm i -D npm-force-resolutions
npx npm-force-resolutions
  • Checking
npm audit

mjfwebb added a commit to mjfwebb/twitch-bot that referenced this issue Jun 25, 2023
@mjfwebb
chore: add semver 7.5.2 resolution
3e05510 
There are 3 moderate severity vulnerabilities otherwise

ref: remy/nodemon#2119
@wellwelwel wellwelwel mentioned this issue Jun 25, 2023
Merged
@alexbrazier alexbrazier mentioned this issue Jun 26, 2023
Merged
@fluentmoheshwar
Copy link

A lot of packages use semver in versions earlier than 7.5.2.

I solved it temporally by:

YARN

package.json

"resolutions": {
  "**/semver": "^7.5.2"
}
  • Then
yarn install
  • Checking
yarn audit

NPM

package.json

"resolutions": {
  "semver": "7.5.2"
}
  • Then
npm i -D npm-force-resolutions
npx npm-force-resolutions
  • Checking
npm audit

you could also use (doesn't require npm-force-resolutions):

"overrides": {
        "semver": "7.5.2"
 }

grgomez added a commit to grgomez/play-beats-bot that referenced this issue Jun 28, 2023
@grgomez
Fixed vulnerabilities issue by setting override to install latest ver…
b36736a 
…sion of semver. Solution: remy/nodemon#2119
@joaomoreno
Copy link

A better approach:

	"overrides": {
		"nodemon": {
			"simple-update-notifier": {
				"semver": "^7.5.2"
			}
		}
	}

@zang3tsu88
Copy link

A better approach:

	"overrides": {
		"nodemon": {
			"simple-update-notifier": {
				"semver": "^7.5.2"
			}
		}
	}

Thanks, but this one doesnt fix the issue. Out of 3 moderate vulnerabilities it leaves 2.
The previous one helped.

@remy remy closed this as completed in 6bb8766 Jul 7, 2023
@fluentmoheshwar fluentmoheshwar mentioned this issue Jul 8, 2023
Closed
@github-actions
Copy link

github-actions bot commented Jul 8, 2023

🎉 This issue has been resolved in version 3.0.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

@zang3tsu88 zang3tsu88 mentioned this issue Aug 13, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@joaomoreno @NormandoHall @zang3tsu88 @wellwelwel @fluentmoheshwar