trapeze icon indicating copy to clipboard operation
trapeze copied to clipboard
verified publisher icon ionic-team

Security Vulnerability in semver Dependency (Regular Expression Denial of Service)

Open tarektaamali opened this issue 1 year ago • 1 comments

During a recent audit of our project using Trapeze, a high severity security vulnerability was detected in the semver package (versions 7.0.0 to 7.5.1), which is a dependency of Trapeze. The vulnerability relates to a Regular Expression Denial of Service (ReDoS) attack, as described in GHSA-c2qf-rxjj-qqgw.

Here are the affected dependencies:

simple-update-notifier (depends on vulnerable versions of semver) nodemon (depends on simple-update-notifier) This vulnerability affects the stability and security of applications using Trapeze, and it is critical to release a patch that updates these dependencies to secure versions.

tarektaamali avatar Sep 20 '24 10:09 tarektaamali

Thanks for opening the issue, Ionic should update the dependencies.

bluepuma77 avatar Sep 24 '24 08:09 bluepuma77

this has been fixed when removing npm-watch in ticket #224 and version 7.1.3

https://github.com/ionic-team/trapeze/releases/tag/7.1.3

Yolgie avatar Nov 26 '24 21:11 Yolgie

This issue has been resolved in the latest version, 7.1.3.

tarektaamali avatar Nov 27 '24 09:11 tarektaamali