Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Security advice semver #2119

Closed
NormandoHall opened this issue Jun 23, 2023 · 5 comments · Fixed by illbreakurcode/Notion-Highlights#7 · 4 remaining pull requests
Closed

Security advice semver #2119

NormandoHall opened this issue Jun 23, 2023 · 5 comments · Fixed by illbreakurcode/Notion-Highlights#7 · 4 remaining pull requests
Labels
released

Comments

@NormandoHall
Copy link

GHSA-c2qf-rxjj-qqgw

nodemon  1.4.10-alpha.1 - 1.4.10-alpha.3 || >=1.14.10
  Depends on vulnerable versions of semver
  Depends on vulnerable versions of simple-update-notifier
@wellwelwel
Copy link

wellwelwel commented Jun 25, 2023
edited
Loading

A lot of packages use semver in versions earlier than 7.5.2.

I solved it temporally by:

YARN

package.json

"resolutions": {
  "**/semver": "^7.5.2"
}
  • Then
yarn install
  • Checking
yarn audit

NPM

package.json

"resolutions": {
  "semver": "7.5.2"
}
  • Then
npm i -D npm-force-resolutions
npx npm-force-resolutions
  • Checking
npm audit

mjfwebb added a commit to mjfwebb/twitch-bot that referenced this issue Jun 25, 2023
@mjfwebb
chore: add semver 7.5.2 resolution
3e05510 
There are 3 moderate severity vulnerabilities otherwise

ref: remy/nodemon#2119
@wellwelwel wellwelwel mentioned this issue Jun 25, 2023
Merged
@alexbrazier alexbrazier mentioned this issue Jun 26, 2023
Merged
@fluentmoheshwar
Copy link

A lot of packages use semver in versions earlier than 7.5.2.

I solved it temporally by:

YARN

package.json

"resolutions": {
  "**/semver": "^7.5.2"
}
  • Then
yarn install
  • Checking
yarn audit

NPM

package.json

"resolutions": {
  "semver": "7.5.2"
}
  • Then
npm i -D npm-force-resolutions
npx npm-force-resolutions
  • Checking
npm audit

you could also use (doesn't require npm-force-resolutions):

"overrides": {
        "semver": "7.5.2"
 }

grgomez added a commit to grgomez/play-beats-bot that referenced this issue Jun 28, 2023
@grgomez
Fixed vulnerabilities issue by setting override to install latest ver…
b36736a 
…sion of semver. Solution: remy/nodemon#2119
@joaomoreno
Copy link

A better approach:

	"overrides": {
		"nodemon": {
			"simple-update-notifier": {
				"semver": "^7.5.2"
			}
		}
	}

@zang3tsu88
Copy link

A better approach:

	"overrides": {
		"nodemon": {
			"simple-update-notifier": {
				"semver": "^7.5.2"
			}
		}
	}

Thanks, but this one doesnt fix the issue. Out of 3 moderate vulnerabilities it leaves 2.
The previous one helped.

@remy remy closed this as completed in 6bb8766 Jul 7, 2023
@fluentmoheshwar fluentmoheshwar mentioned this issue Jul 8, 2023
Closed
@github-actions
Copy link

github-actions bot commented Jul 8, 2023

🎉 This issue has been resolved in version 3.0.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

@zang3tsu88 zang3tsu88 mentioned this issue Aug 13, 2023
Merged
@YoutacRandS-VA YoutacRandS-VA mentioned this issue Jun 20, 2024
Open
@metju90 metju90 mentioned this issue Jul 17, 2024
Open
@andrusha89 andrusha89 mentioned this issue Aug 5, 2024
Open
@illbreakurcode illbreakurcode mentioned this issue Aug 9, 2024
Open
@BlackPeter13 BlackPeter13 mentioned this issue Aug 13, 2024
Closed
@illbreakurcode illbreakurcode mentioned this issue Sep 6, 2024
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
5 participants
@joaomoreno @NormandoHall @zang3tsu88 @wellwelwel @fluentmoheshwar