-
-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Please fix semver security issue. #2803
Comments
Like most CVEs, it's a false positive. We're not using We can't ever bump the semver version because v7 drops support for engines we support, so unless the fix is backported to v6, it'll just have to remain a false positive. |
Sounds sad, but thanks for the answer anyway. |
Same case here. It's breaking the CI even it's being a dev dependencie. o/ |
How about reopening this issue until the backport fix on Semver completes? Babel & Microsoft team tries to fix Semver v5/6, I see that @ljharb has commented there as well, but seems the Semver team still has no plan to backport the fix. |
People file duplicate issues for this kind of thing whether there's one open or not, in my experience, and regardless, no issue should ever be filed for this sort of thing. A major upgrade isn't reasonable to request, and if the package backports the fix, nothing needs to be done here. |
The npm audit report says
eslint-plugin-import
package has a vulnerability:Here is a security issue - https://security.snyk.io/package/npm/semver/6.3.0.
Please bump the
semver
version.The version of the
eslint-plugin-import
package that I am using is2.27.5
.Thanks in advance.
The text was updated successfully, but these errors were encountered: