openapix icon indicating copy to clipboard operation
openapix copied to clipboard
verified publisher icon alma-cdk

Package depends on vulnerable version of `semver`

Open arstulke opened this issue 3 months ago • 1 comments

Version @alma-cdk/[email protected] (currently latest version) includes [email protected] which is a vulnerable version as bundled dependency. The semver vulnerability has a severity of high.

I tried updating it quickly but it requires updating projen aswell. Projen installs a newer version of JSII which requires some larger code changes.

arstulke avatar Sep 25 '25 14:09 arstulke

Can someone build and deploy a beta version for PR #68, so I can verify the change using npm audit?

arstulke-btc avatar Oct 20 '25 09:10 arstulke-btc