Security Vuln In Semver Dependency

[gamboaa]

├─┬ jsonwebtoken@9.0.1
│ └── semver@7.3.8 deduped

CVE-2022-25883 (OSSINDEX) 

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

CWE-1333 Inefficient Regular Expression Complexity

CVSSv3:

Base Score: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

OSSINDEX - [CVE-2022-25883] CWE-1333
OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-25883
OSSIndex - npm/node-semver#564
OSSIndex - https://vuldb.com/?id.232060

Vulnerable Software & Versions (OSSINDEX):

cpe:2.3:a::semver:7.3.8:::::::

[dvasilen]

See also #914 (comment)

[ched-dev]

More info: GHSA-c2qf-rxjj-qqgw

See also #919

[hugoArregui]

I'm wondering if semver could become a devDependency instead of a normal dependency

[gabrielenosso]

Up.
Our pipeline is broken cause of the security issue.

[jakelacey2012]

The fix has been merged in #932 and released as part of the 9.0.2 release.