Semver Dependency - CVE-2022-25883 Vulnerability #158

7emretelli · 2023-12-27T18:46:27Z

Hi! 👋

Firstly, thanks for your work on this project! 🙂

Today I used patch-package to patch [email protected] for the project I'm working on.

Semver, the dependent of the node-abi package has CVE-2022-25883 vulnerability. After carefully comparing 7.3.5 and 7.5.3 versions of the semver, concluded on there is no code updates needed but only version of semver need to be updated for node-abi.

NPM Audit: GHSA-c2qf-rxjj-qqgw

Here is the diff that solved my problem:

diff --git a/node_modules/node-abi/package.json b/node_modules/node-abi/package.json
index 1f462bf..1bc9e4e 100644
--- a/node_modules/node-abi/package.json
+++ b/node_modules/node-abi/package.json
@@ -32,7 +32,7 @@
     "tape": "^5.3.1"
   },
   "dependencies": {
-    "semver": "^7.3.5"
+    "semver": "^7.5.3"
   },
   "engines": {
     "node": ">=10"

This issue body was partially generated by patch-package.

The text was updated successfully, but these errors were encountered:

MarshallOfSound · 2023-12-27T18:50:01Z

You don't need to use patch-package for this, those semver ranges are compatible and result in the same version being installed

7emretelli changed the title ~~Semver Dependency CVE-2022-25883 Vulnerability~~ Semver Dependency - CVE-2022-25883 Vulnerability Dec 27, 2023

MarshallOfSound closed this as not planned Won't fix, can't repro, duplicate, stale Dec 27, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Semver Dependency - CVE-2022-25883 Vulnerability #158

Semver Dependency - CVE-2022-25883 Vulnerability #158

7emretelli commented Dec 27, 2023

MarshallOfSound commented Dec 27, 2023

Semver Dependency - CVE-2022-25883 Vulnerability #158

Semver Dependency - CVE-2022-25883 Vulnerability #158

Comments

7emretelli commented Dec 27, 2023

MarshallOfSound commented Dec 27, 2023