amannn
Semver vulnerability in yarn.lock
Describe the bug
dependency security advisory states the following multiple times (yarn audit does too):
| moderate | semver vulnerable to Regular Expression Denial of Service |
|---|---|
| Package | semver |
| Patched in | >=6.3.1 |
| Dependency of | jest |
| Path | jest > jest-cli > @jest/core > @jest/reporters > istanbul-lib-instrument > @babel/core > semver |
| More info | Advisory 1095366 |
To reproduce
run yarn audit
Expected behavior
To have no dependency vulnerabilities
Potential solution When I tried to update all packages to the latest version, there were no issues. These do include major version updates though:
| Package | Old Version | New Version |
|---|---|---|
| @actions/core | ^1.10.0 | ^1.10.1 |
| @actions/github | ^5.1.1 | ^6.0.0 |
| @semantic-release/changelog | 6.0.2 | 6.0.3 |
| @semantic-release/commit-analyzer | 9.0.2 | 11.1.0 |
| @semantic-release/github | 8.0.7 | 9.2.6 |
| @semantic-release/release-notes-generator | 10.0.3 | 12.1.0 |
| @vercel/ncc | ^0.36.1 | ^0.38.1 |
| conventional-changelog-conventionalcommits | 5.0.0 | 7.0.2 |
| conventional-commits-parser | ^3.2.4 | ^5.0.0 |
| eslint | 8.36.0 | 8.56.0 |
| eslint-config-molindo | 6.0.0 | 7.0.0 |
| jest | 29.5.0 | 29.7.0 |
| semantic-release | ^19.0.5 | ^23.0.0 |
Jest is a dev-dependency that doesn't run as part of the action, but only during development (see also https://github.com/facebook/create-react-app/issues/11174).
That being said, if you'd like to propose a PR that updates dependencies I'd be happy to review it!
Jest is a dev-dependency that doesn't run as part of the action, but only during development (see also facebook/create-react-app#11174).
That being said, if you'd like to propose a PR that updates dependencies I'd be happy to review it!
The thing is, that there'd be a lot of major versions updating. Not solely Jest. I couldn't pinpoint instantly which version is also solving the issue. And to have a lot of major versions being pushed to solve a semver version is a bit much, wouldn't you say
Updating semver will furthermore not affect the code that runs for consumers of this action, so yes.
Updating dependencies would be good at some point, so we can leave this open in case someone is interested to look into it.
note for anyone who tries: updating these packages with updating to eslint-config-molindo v7.0 will break linting: https://github.com/molindo/eslint-config-molindo/blob/master/CHANGELOG.md#700
Breaking changes eslint-config-molindo/setupPlugins has been removed, since it's no longer necessary (fixes #59)
This is however used here. And removing it will break everything regarding linting (at least at my end)