Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2022-25883 via semver@5.7.1 #475

Closed
s100 opened this issue Jun 26, 2023 · 3 comments · Fixed by #477
Closed

CVE-2022-25883 via semver@5.7.1 #475

s100 opened this issue Jun 26, 2023 · 3 comments · Fixed by #477

Comments

@s100
Copy link

s100 commented Jun 26, 2023

patch-package depends on semver@^5.6.0, which is vulnerable to CVE-2022-25883. This can be fixed by upgrading to semver@7.5.3 or later.
@toastwaffle
Copy link

#466 would fix this

@rsanchez rsanchez mentioned this issue Jul 7, 2023
Merged
@rsanchez
Copy link
Contributor

rsanchez commented Jul 7, 2023

Noting that #466 does not fix this, since that only bumps the semver version to 7.0.0, and not 7.5.3 or above.

#477 would fix this.

@s100
Copy link
Author

s100 commented Jul 11, 2023

Fixed in patch-package@7.0.1.

@s100 s100 closed this as completed Jul 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bump semver to version ^7.5.3 to resolve CVE-2022-25883 rsanchez-forks/patch-package
3 participants
@rsanchez @toastwaffle @s100