[api-extractor] Semver package needs to be updated to address vulnerability #4216
Comments
nipunn1313
added a commit
to nipunn1313/rushstack
that referenced
this issue
Jul 18, 2023
Qjuh
pushed a commit
to discordjs/rushstack
that referenced
this issue
Nov 7, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We are using API extractor, which has a dependency on the semver package: "semver": "~7.3.0". Recently there was a vulnerability reported for older versions of the semver package https://nvd.nist.gov/vuln/detail/CVE-2022-25883.
Can the semver package dependencies be updated in API extractor and better yet can we start leveraging ^ semver ranges for this dependency going forward to remove the friction on downstream repos for addressing these vulnerabilities
Summary
Repro steps
Expected result:
Actual result:
Details
Standard questions
Please answer these questions to help us investigate your issue more quickly:
@microsoft/api-extractorversion?node -v)?The text was updated successfully, but these errors were encountered: