Bump version

eoftedal · eoftedal · commit 50fd780363ab · 2025-08-01T11:22:34.000+02:00
diff --git a/chrome/extension/js/generated/retire-chrome.js b/chrome/extension/js/generated/retire-chrome.js
@@ -50,7 +50,7 @@ function deepScan(content, repo) {
  */
 
 var exports = exports || {};
-exports.version = '5.2.7';
+exports.version = '5.2.8';
 
 function isDefined(o) {
   return typeof o !== 'undefined';
@@ -7993,7 +7993,7 @@ module.exports={
           ]
         },
         {
-          "below": "0.21.3",
+          "below": "0.21.2",
           "severity": "high",
           "cwe": [
             "CWE-1333",
@@ -9228,6 +9228,28 @@ module.exports={
             "https://vercel.com/changelog/cve-2025-32421"
           ]
         },
+        {
+          "atOrAbove": "15.0.4-canary.51",
+          "below": "15.1.8",
+          "cwe": [
+            "CWE-444"
+          ],
+          "severity": "high",
+          "identifiers": {
+            "summary": "### Summary\nA vulnerability affecting Next.js has been addressed. It impacted versions 15.0.4 through 15.1.8 and involved a cache poisoning bug leading to a Denial of Service (DoS) condition.\n\nUnder certain conditions, this issue may allow a HTTP 204 response to be cached for static pages, leading to the 204 response being served to all users attempting to access the page\n\nMore details: [CVE-2025-49826](https://vercel.com/changelog/cve-2025-49826)\n\n## Credits\n- Allam Rachid [zhero;](https://zhero-web-sec.github.io/research-and-things/)\n- Allam Yasser (inzo)",
+            "githubID": "GHSA-67rr-84xm-4c7r",
+            "CVE": [
+              "CVE-2025-49826"
+            ]
+          },
+          "info": [
+            "https://github.com/vercel/next.js/security/advisories/GHSA-67rr-84xm-4c7r",
+            "https://github.com/vercel/next.js/commit/16bfce64ef2157f2c1dfedcfdb7771bc63103fd2",
+            "https://github.com/vercel/next.js/commit/a15b974ed707d63ad4da5b74c1441f5b7b120e93",
+            "https://github.com/vercel/next.js/releases/tag/v15.1.8",
+            "https://vercel.com/changelog/cve-2025-49826"
+          ]
+        },
         {
           "atOrAbove": "15.0.0",
           "below": "15.2.2",
@@ -9300,6 +9322,29 @@ module.exports={
             "https://github.com/vercel/next.js",
             "https://vercel.com/changelog/cve-2025-30218-5DREmEH765PoeAsrNNQj3O"
           ]
+        },
+        {
+          "atOrAbove": "15.3.0",
+          "below": "15.3.3",
+          "cwe": [
+            "CWE-444"
+          ],
+          "severity": "low",
+          "identifiers": {
+            "summary": "### Summary\n\nA cache poisoning issue in **Next.js App Router >=15.3.0 and < 15.3.3** may have allowed RSC payloads to be cached and served in place of HTML, under specific conditions involving middleware and redirects. This issue has been fixed in **Next.js 15.3.3**.\n\nUsers on affected versions should **upgrade immediately** and **redeploy** to ensure proper caching behavior.\n\nMore details: [CVE-2025-49005](https://vercel.com/changelog/cve-2025-49005)",
+            "githubID": "GHSA-r2fc-ccr8-96c4",
+            "CVE": [
+              "CVE-2025-49005"
+            ]
+          },
+          "info": [
+            "https://github.com/vercel/next.js/security/advisories/GHSA-r2fc-ccr8-96c4",
+            "https://github.com/vercel/next.js/issues/79346",
+            "https://github.com/vercel/next.js/pull/79939",
+            "https://github.com/vercel/next.js/commit/ec202eccf05820b60c6126d6411fe16766ecc066",
+            "https://github.com/vercel/next.js/releases/tag/v15.3.3",
+            "https://vercel.com/changelog/cve-2025-49005"
+          ]
         }
       ],
       "extractors": {
@@ -9946,7 +9991,7 @@ module.exports={
           "/\\*[\\s*!]+(?:@license)?[\\s*]+(?:Lo-Dash|lodash|Lodash) v?(§§version§§)[\\s\\S]{1,200}Build: `lodash modern -o",
           "/\\*[\\s*!]+(?:@license)?[\\s*]+(?:Lo-Dash|lodash|Lodash) v?(§§version§§) <",
           "/\\*[\\s*!]+(?:@license)?[\\s*]+(?:Lo-Dash|lodash|Lodash) v?(§§version§§) lodash.com/license",
-          "=\"(§§version§§)(?<=[0-9]+(\\.[0-9]{1,3}){1,5})\"[\\s\\S]{1,300}__lodash_hash_undefined__",
+          "=\"(§§version§§)(?<=[0-9]{1,2}\\.[0-9]{1,2}\\.[0-9]{1,2})\"[\\s\\S]{1,300}__lodash_hash_undefined__",
           "/\\*[\\s*]+@license[\\s*]+(?:Lo-Dash|lodhash|Lodash)[\\s\\S]{1,500}var VERSION *= *['\"](§§version§§)['\"]",
           "var VERSION=\"(§§version§§)\";var BIND_FLAG=1,BIND_KEY_FLAG=2,CURRY_BOUND_FLAG=4,CURRY_FLAG=8"
         ],
diff --git a/node/lib/retire.js b/node/lib/retire.js
@@ -4,7 +4,7 @@
  */
 
 var exports = exports || {};
-exports.version = '5.2.7';
+exports.version = '5.2.8';
 
 function isDefined(o) {
   return typeof o !== 'undefined';
diff --git a/node/package-lock.json b/node/package-lock.json
diff --git a/node/package.json b/node/package.json
@@ -2,7 +2,7 @@
   "author": "Erlend Oftedal <erlend@oftedal.no>",
   "name": "retire",
   "description": "Retire is a tool for detecting use of vulnerable libraries",
-  "version": "5.2.7",
+  "version": "5.2.8",
   "license": "Apache-2.0",
   "repository": {
     "type": "git",
