dependabot npm(deps-dev): [security] bump semver from 6.3.0 to 6.3.1
Bumps semver from 6.3.0 to 6.3.1. This update includes a security fix.
Vulnerabilities fixed
semver vulnerable to Regular Expression Denial of Service Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Patched versions: 6.3.1 Affected versions: >= 6.0.0, < 6.3.1
Release notes
Sourced from semver's releases.
v6.3.1
6.3.1 (2023-07-10)
Bug Fixes
928e56d#591 better handling of whitespace (#591) (@lukekarrys,@joaomoreno,@nicolo-ribaudo)
Changelog
Sourced from semver's changelog.
6.3.1 (2023-07-10)
Bug Fixes
928e56d#591 better handling of whitespace (#591) (@lukekarrys,@joaomoreno,@nicolo-ribaudo)6.2.0
- Coerce numbers to strings when passed to semver.coerce()
- Add
rtloption to coerce from right to left6.1.3
- Handle X-ranges properly in includePrerelease mode
6.1.2
- Do not throw when testing invalid version strings
6.1.1
- Add options support for semver.coerce()
- Handle undefined version passed to Range.test
6.1.0
- Add semver.compareBuild function
- Support
*in semver.intersects6.0
Fix
intersectslogic.This is technically a bug fix, but since it is also a change to behavior that may require users updating their code, it is marked as a major version increment.
5.7
- Add
minVersionmethod5.6
- Move boolean
looseparam to an options object, with backwards-compatibility protection.- Add ability to opt out of special prerelease version handling with the
includePrereleaseoption flag.5.5
... (truncated)
Commits
Maintainer changes
This version was pushed to npm by lukekarrys, a new releaser for semver since your current version.