Skip to content

Update dependency semver to v6.3.1 [SECURITY]#37

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-semver-vulnerability
Open

Update dependency semver to v6.3.1 [SECURITY]#37
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-semver-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jun 25, 2023
edited
Loading

Copy link
Copy Markdown

This PR contains the following updates:

Package Change Age Confidence
semver 6.2.06.3.1 age confidence

semver vulnerable to Regular Expression Denial of Service

CVE-2022-25883 / GHSA-c2qf-rxjj-qqgw

More information

Details

Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

npm/node-semver (semver)

v6.3.1

Compare Source

Bug Fixes

v6.3.0

Compare Source

  • Expose the token enum on the exports

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot changed the title Update dependency semver to v7 [SECURITY] Update dependency semver to v7 [SECURITY] - autoclosed Jul 10, 2023
@renovate renovate Bot closed this Jul 10, 2023
@renovate renovate Bot deleted the renovate/npm-semver-vulnerability branch July 10, 2023 22:47
@renovate renovate Bot changed the title Update dependency semver to v7 [SECURITY] - autoclosed Update dependency semver to v7 [SECURITY] Jul 11, 2023
@renovate renovate Bot reopened this Jul 11, 2023
@renovate renovate Bot restored the renovate/npm-semver-vulnerability branch July 11, 2023 01:55
@renovate renovate Bot changed the title Update dependency semver to v7 [SECURITY] Update dependency semver to v6.3.1 [SECURITY] Jul 11, 2023
@renovate renovate Bot force-pushed the renovate/npm-semver-vulnerability branch from 8265967 to e595683 Compare July 11, 2023 01:56
@renovate renovate Bot force-pushed the renovate/npm-semver-vulnerability branch from e595683 to cad9116 Compare November 10, 2025 20:13
@renovate renovate Bot force-pushed the renovate/npm-semver-vulnerability branch from cad9116 to e95e9c8 Compare November 18, 2025 11:41
@renovate renovate Bot force-pushed the renovate/npm-semver-vulnerability branch 2 times, most recently from 798a978 to 7daaa4c Compare December 31, 2025 20:51
@renovate renovate Bot changed the title Update dependency semver to v6.3.1 [SECURITY] Update dependency semver to v6.3.1 [SECURITY] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot deleted the renovate/npm-semver-vulnerability branch March 27, 2026 01:32
@renovate renovate Bot changed the title Update dependency semver to v6.3.1 [SECURITY] - autoclosed Update dependency semver to v6.3.1 [SECURITY] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-semver-vulnerability branch from 7daaa4c to 460ba4a Compare March 30, 2026 20:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants