serverless-plugin-log-retention icon indicating copy to clipboard operation
serverless-plugin-log-retention copied to clipboard

Published 20 hours ago verified publisher icon serverless

Semver package security issue

Open doctenahasib opened this issue 1 year ago • 3 comments

The package semver version 5.4.1 has a security issue and allows attackers to do a ReDoS. Can you please update that package to the latest version ?

https://github.com/serverless/serverless-plugin-log-retention/blob/master/package.json#L27

doctenahasib avatar Jul 11 '23 07:07 doctenahasib

Any update here? `npm audit

npm audit report

semver <5.7.2 Severity: moderate semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw No fix available node_modules/serverless-plugin-log-retention/node_modules/semver serverless-plugin-log-retention * Depends on vulnerable versions of semver node_modules/serverless-plugin-log-retention`

hashanotrium avatar Aug 03 '23 13:08 hashanotrium

Any update here? `npm audit

fedeam avatar Aug 02 '24 15:08 fedeam

I ended up just using the built-in serverless log retentions settings, and stopped using this plugin, https://www.serverless.com/framework/docs/providers/aws/guide/functions#log-group-resources

openam avatar Aug 09 '24 22:08 openam