Describe the bug
dependency security advisory states the following multiple times (yarn audit does too):
| moderate |
semver vulnerable to Regular Expression Denial of Service |
| Package |
semver |
| Patched in |
>=6.3.1 |
| Dependency of |
jest |
| Path |
jest > jest-cli > @jest/core > @jest/reporters > istanbul-lib-instrument > @babel/core > semver |
| More info |
Advisory 1095366 |
To reproduce
run yarn audit
Expected behavior
To have no dependency vulnerabilities
Potential solution
When I tried to update all packages to the latest version, there were no issues. These do include major version updates though:
| Package |
Old Version |
New Version |
| @actions/core |
^1.10.0 |
^1.10.1 |
| @actions/github |
^5.1.1 |
^6.0.0 |
| @semantic-release/changelog |
6.0.2 |
6.0.3 |
| @semantic-release/commit-analyzer |
9.0.2 |
11.1.0 |
| @semantic-release/github |
8.0.7 |
9.2.6 |
| @semantic-release/release-notes-generator |
10.0.3 |
12.1.0 |
| @vercel/ncc |
^0.36.1 |
^0.38.1 |
| conventional-changelog-conventionalcommits |
5.0.0 |
7.0.2 |
| conventional-commits-parser |
^3.2.4 |
^5.0.0 |
| eslint |
8.36.0 |
8.56.0 |
| eslint-config-molindo |
6.0.0 |
7.0.0 |
| jest |
29.5.0 |
29.7.0 |
| semantic-release |
^19.0.5 |
^23.0.0 |
Describe the bug
dependency security advisory states the following multiple times (
yarn auditdoes too):To reproduce
run
yarn auditExpected behavior
To have no dependency vulnerabilities
Potential solution
When I tried to update all packages to the latest version, there were no issues. These do include major version updates though: