semver vulnerable to Regular Expression Denial of Service

Question

semver vulnerable to Regular Expression Denial of Service

Closed this issue 2 years ago · 2 comments

Modification Proposal

Expected Behavior / Situation

Actual Behavior / Situation

yarn audit showed a vulnerability message in versions of the package semver before 7.5.2. css-loader is depending on that via css-loader > semver

More info https://www.npmjs.com/advisories/1092310

Please paste the results of `npx webpack-cli info` here, and mention other relevant information

Packages:
add-charset-webpack-plugin: 1.0.6 => 1.0.6
babel-loader: 9.1.2 => 9.1.2
clean-webpack-plugin: 4.0.0 => 4.0.0
copy-webpack-plugin: 11.0.0 => 11.0.0
css-loader: 6.8.1 => 6.8.1
css-minimizer-webpack-plugin: 4.0.0 => 4.0.0
html-webpack-plugin: 5.5.0 => 5.5.0
sass-loader: 13.0.0 => 13.0.0
webpack: 5.76.0 => 5.76.0
webpack-cli: 4.9.2 => 4.9.2
Binaries:
Node: 18.15.0
Yarn: 1.22.19
npm: 9.7.1

Answer 1 · 2024-11-01T14:11:42.000Z

Hey, why was this closed?

Answer 2 · 2024-11-04T07:52:52.000Z

@jacopolanzonidev I closed this over a year ago so, I don't recall the exact reason but since I closed it on the exact same day as opening it and without providing more info, it probably was something I overlooked myself.

Modification Proposal

Expected Behavior / Situation

Actual Behavior / Situation

Please paste the results of npx webpack-cli info here, and mention other relevant information

Please paste the results of `npx webpack-cli info` here, and mention other relevant information