Fix vulnerability of regular expression denial of service by upgrading semver to 7.5.3 #14262
Conversation
✅ Deploy Preview for jestjs ready!Built without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify site settings. |
…g semver to 7.5.2
ziyad-elabid-nw
force-pushed
the
fix-vulnerability-by-upgrading-semver-version
branch
from
66eb393
to
416c59a
Compare
|
This probably needs to be semver 7.5.3 at this point. |
|
@hildjj version 7.5.2 or any higher version would be suitable for addressing this problem, as it contains the necessary patches. |
Probably still worth doing for posterity's sake, no? |
|
Fixed version is in semver range, so we don't have to update here. Happy do so if it helps, though 👍 Can you update to 7.5.3 and add a changelog entry? |
Done 👍 |
ziyad-elabid-nw
changed the title
|
This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Summary
At the moment, Jest uses version 7.3.5 of semver. The problem arises when launching the command 'yarn audit' due to a vulnerability in regular expression denial of service via the function 'new Range'. You can find more information about this vulnerability in the following reference: GHSA-c2qf-rxjj-qqgw
This pull request (PR) proposes upgrading the semver dependency to version 7.5.3 because it includes the necessary patches for versions greater than or equal to 7.5.2.
Test plan
Green CI
Thanks !