Skip to content

security: updating semver to 7.5.4 to resolve CVE-2022-25883#932

Merged
jakelacey2012 merged 1 commit intoauth0:masterfrom
jakelacey2012:update/semver-7.5.2
Aug 30, 2023
Merged

security: updating semver to 7.5.4 to resolve CVE-2022-25883#932
jakelacey2012 merged 1 commit intoauth0:masterfrom
jakelacey2012:update/semver-7.5.2

Conversation

@jakelacey2012
Copy link
Contributor

@jakelacey2012 jakelacey2012 commented Aug 25, 2023
edited
Loading

By submitting a PR to this repository, you agree to the terms within the Auth0 Code of Conduct. Please see the contributing guidelines for how to create and submit a high-quality PR for this repo.

Description

This PR updates semver to a minimum version of 7.5.4 to resolve CVE-2022-25883.

References

Testing

  • npm test is passing.
  • ✅ This change adds test coverage for new/changed/fixed functionality

Checklist

  • I have added documentation for new/changed functionality in this PR or in auth0.com/docs
  • All active GitHub checks for tests, formatting, and security are passing
  • The correct base branch is being used, if not the default branch

@jakelacey2012 jakelacey2012 changed the title Updating semver to 7.5.2 to resolve CVE-2022-25883 security: updating semver to 7.5.2 to resolve CVE-2022-25883 Aug 25, 2023
@SEKERM SEKERM mentioned this pull request Aug 28, 2023
Closed
4 tasks
SEKERM
SEKERM reviewed Aug 28, 2023
View reviewed changes
Copy link

@SEKERM SEKERM left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please go to 7.5.4.

@mkrudele
Copy link

mkrudele commented Aug 28, 2023

When will this PR be merged and a new version of the module published?

cpettet
cpettet reviewed Aug 28, 2023
View reviewed changes
package.json Outdated
"lodash": "^4.17.21",
"ms": "^2.1.1",
"semver": "^7.3.8"
"semver": "^7.5.2"
Copy link

@cpettet cpettet Aug 28, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"semver": "^7.5.2"
"semver": "^7.5.4"

Copy link

@cpettet cpettet Aug 28, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's a few bugfixes from 7.5.3 and 7.5.4.

@jakelacey2012 jakelacey2012 changed the title security: updating semver to 7.5.2 to resolve CVE-2022-25883 security: updating semver to 7.5.4 to resolve CVE-2022-25883 Aug 29, 2023
@jakelacey2012
Copy link
Contributor Author

jakelacey2012 commented Aug 29, 2023

@SEKERM @cpettet thanks for the feedback, I've updated to 7.5.4.

SEKERM
SEKERM approved these changes Aug 29, 2023
View reviewed changes
Copy link

@SEKERM SEKERM left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm. @david-renaud-okta can you give approval with write access:

Review required
At least 1 approving review is required by reviewers with write access.

@SEKERM
Copy link

SEKERM commented Aug 30, 2023
edited
Loading

@jakelacey2012 when will you merge into master? Thank you.

@jakelacey2012 jakelacey2012 merged commit ed35062 into auth0:master Aug 30, 2023
This was referenced Aug 30, 2023
Merged
Closed
@Uzlopak
Copy link

Uzlopak commented Nov 20, 2023

You could have just removed semver

https://github.com/auth0/node-jsonwebtoken/pull/880/files

D'oh

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@CharlesRea CharlesRea CharlesRea approved these changes

+3 more reviewers

@cpettet cpettet cpettet left review comments

@SEKERM SEKERM SEKERM approved these changes

@david-renaud-okta david-renaud-okta david-renaud-okta left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@jakelacey2012 @mkrudele @SEKERM @Uzlopak @CharlesRea @cpettet @david-renaud-okta