Bump semver from 5.5.0 to 5.7.2

[dependabot]

Bumps semver from 5.5.0 to 5.7.2.

Release notes

Sourced from semver's releases.

v5.7.2

5.7.2 (2023-07-10)

Bug Fixes

• 2f8fd41 #585 better handling of whitespace (#585) (@​joaomoreno, @​lukekarrys)

Changelog

Sourced from semver's changelog.

5.7.2 (2023-07-10)

Bug Fixes

• 2f8fd41 #585 better handling of whitespace (#585) (@​joaomoreno, @​lukekarrys)

5.7

• Add minVersion method

5.6

• Move boolean loose param to an options object, with backwards-compatibility protection.
• Add ability to opt out of special prerelease version handling with the includePrerelease option flag.

5.5

• Add version coercion capabilities

5.4

• Add intersection checking

5.3

• Add minSatisfying method

5.2

• Add prerelease(v) that returns prerelease components

5.1

• Add Backus-Naur for ranges
• Remove excessively cute inspection methods

5.0

• Remove AMD/Browserified build artifacts
• Fix ltr and gtr when using the * range
• Fix for range * with a prerelease identifier

Commits

• f8cc313 chore: release 5.7.2
• 2f8fd41 fix: better handling of whitespace (#585)
• deb5ad5 chore: @​npmcli/template-oss@​4.16.0
• c83c18c 5.7.1
• 956e228 Correct typo in README
• 8055dda 5.7.0
• 604e73d auto-publishing scripts
• bed01e2 remove the nomin comments, since we don't minify any more anyway
• 9cb68f1 document parse method
• 38d42ca 5.7 changelog
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by lukekarrys, a new releaser for semver since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[fossabot]

[fossabot]

✓ Safe to upgrade

I recommend merging this upgrade because it fixes multiple high and medium severity Regular Expression Denial of Service (ReDoS) vulnerabilities in semver while introducing no breaking changes. The package is only used as a transitive dependency through the MongoDB driver stack and is not directly exposed to user input in the application code, minimizing exploit risk. The upgrade includes 11 new features and 12 bug fixes with no impact to existing functionality.

What we checked

• semver is a transitive dependency of require_optional (^5.1.0), which is used by mongodb-core, not directly by application code ^[1]
• Current semver version is 5.7.2, upgrade includes security fixes for ReDoS vulnerabilities ^[2]
• Application uses mongodb driver (line 8-9) which internally depends on semver; no direct semver usage found in any application code ^[3]
• No direct dependency on semver listed; mongodb and monk are the only database-related direct dependencies ^[4]
• Dependency chain: mongodb-core depends on require_optional, which depends on semver, keeping the package isolated from direct user input ^[5]

Dependency Usage

The semver package is currently unused in the application codebase, appearing only as a transitive dependency in package-lock.json with no direct references in source code or configuration files. This dependency does not actively support any business functionality or architectural patterns in the application. It may be a remnant from a removed feature or an indirect dependency of another package that doesn't utilize it.

• Application uses mongodb driver (line 8-9) which internally depends on semver; no direct semver usage found in any application code
  

  node-restful-app/app.js

  Line 8 in e5a4e19

  var mongo = require('mongodb');

Changes

The semver package was updated with two critical security fixes addressing Regular Expression Denial of Service (ReDoS) vulnerabilities through bounded regex quantifiers and improved input normalization. The update also adds the minVersion() function, an includePrerelease option for range matching, and multiple bug fixes for range expansion and version coercion.

• Fixed Regular Expression Denial of Service (ReDoS) vulnerability by replacing greedy regex quantifiers with bounded limits in internal regex patterns (v5.7.2, package source)
• Added makeSafeRe() function and safeRe object to create safer regex patterns with MAX_LENGTH and MAX_SAFE_BUILD_LENGTH constraints to prevent exponential backtracking (v5.7.2, package source)
• 2f8fd41 #585 better handling of whitespace (#585) (@​joaomoreno, @​lukekarrys) (v5.7.1-5.7.2, release notes)

View 53 more changes

• Fix grammar for ranges (v5.5.0-5.5.1, commit)
• Fix bin/semver runtime error (v5.5.1-5.6.0, commit)
• Fix code style and achieve 100% coverage (v5.6.0-5.7.0, commit)
• fix: better handling of whitespace (#585) (v5.7.1-5.7.2, commit)
• Add optional parameter to range test to allow prerelease versions to match (v5.5.1-5.6.0, commit)
• Add prerelease version unlock tests (v5.5.1-5.6.0, commit)
• Add semver.minVersion function (v5.6.0-5.7.0, commit)
• Add 'standard' to dev dependencies and npm test (v5.6.0-5.7.0, commit)
• Add changelog (v5.6.0-5.7.0, commit)
• Update tap version (v5.5.0-5.5.1, commit)
• Improve detection of truthy loose params (v5.5.1-5.6.0, commit)
• Replace prereleaseLock with includePrerelease option (v5.5.1-5.6.0, commit)
• Switch boolean loose param to an options object (v5.5.1-5.6.0, commit)
• Remove version from readme (v5.5.1-5.6.0, commit)
• Document parse method (v5.6.0-5.7.0, commit)
• Document includePrerelease flag more (v5.6.0-5.7.0, commit)
• Apply 'standard' code style to semver.js, bin/semver, and test files (v5.6.0-5.7.0, commit)
• Move 'standard' from scripts.test to .posttest (v5.6.0-5.7.0, commit)
• Remove nomin comments (v5.6.0-5.7.0, commit)
• Remove node 4 support (v5.6.0-5.7.0, commit)
• Drop windows testing (v5.6.0-5.7.0, commit)
• Use https when possible (v5.6.0-5.7.0, commit)
• Upgrade to next-gen tap for testing (v5.6.0-5.7.0, commit)
• Refactor CLI test to work without execSync (v5.6.0-5.7.0, commit)
• Remove dead execSync code in test/cli.js (v5.6.0-5.7.0, commit)
• Set up auto-publishing scripts (v5.6.0-5.7.0, commit)
• chore: @​npmcli/template-oss@​4.16.0 (v5.7.1-5.7.2, commit)
• Corrected grammar specification in README documentation - removed trailing pipe operator from primitive definition that incorrectly suggested an empty option (v5.5.1, package source)
• Fixed diff() function to properly handle prerelease version comparison by using a defaultResult variable (v5.7.0, package source)
• Fixed tilde range expansion (~) to properly handle prerelease identifiers without double-prepending hyphens (v5.7.0, package source)
• Fixed X-range replacement logic to correctly set patch version to 0 in all X-range scenarios (v5.7.0, package source)
• Fixed coerce() function to properly extract major version from match groups (v5.7.0, package source)
• Corrected documentation for coerce() function - changed incorrect reference from 'Integer.MAX_SAFE_INTEGER' to 'Number.MAX_SAFE_INTEGER' (v5.7.1, package source)
• Improved input normalization by trimming and collapsing whitespace earlier in Range and Comparator constructors to reduce reliance on potentially slow regex patterns (v5.7.2, package source)
• Enhanced error messages in Range constructor to use normalized input (this.raw) instead of original input for better debugging (v5.7.2, package source)
• Added includePrerelease option to control whether prerelease versions are included in range matching. When set to true, prerelease versions are always included in range comparisons, suppressing the default behavior of excluding them. (v5.6.0, package source)
• Added CLI flag -p/--include-prerelease to always include prerelease versions in range matching from the command line (v5.6.0, package source)
• All API functions now accept an options object {loose, includePrerelease} instead of just a boolean loose parameter. Backwards compatible - boolean values are still accepted and treated as the loose option. (v5.6.0, package source)
• SemVer, Comparator, and Range classes now store full options object (this.options) for better option propagation throughout the API (v5.6.0, package source)
• Added minVersion(range) method that returns the lowest version that can possibly match the given range (v5.7.0, package source)
• Added documentation for parse(v) method in README - attempts to parse a string as a semantic version, returning either a SemVer object or null (v5.7.0, package source)
• Updated tap dev dependency from ^10.7.0 to ^12.0.1 (v5.5.1, package source)
• Updated documentation to describe the new options object format and includePrerelease behavior (v5.6.0, package source)
• Updated semver.org URLs from http:// to https:// throughout documentation and help text (v5.7.0, package source)
• Updated tap devDependency from ^12.0.1 to ^13.0.0-rc.18 (v5.7.0, package source)
• Added npm scripts for automated versioning workflow (preversion, postversion, postpublish) (v5.7.0, package source)
• Added tap configuration to enable code coverage checking (v5.7.0, package source)
• Code style improvements: consistent formatting, proper bracing, and semicolon usage throughout codebase (v5.7.0, package source)
• Changed code coverage comments from /* nomin / to / istanbul ignore next */ for better tooling support (v5.7.0, package source)
• Improved documentation formatting and line wrapping in README for coerce() function description (v5.7.1, package source)
• Replaced greedy regex tokens (* and +) with limited quantifiers ({0,N} and {1,N}) in all internal regex operations while maintaining backward compatibility by keeping original regexes exported (v5.7.2, package source)
• Updated devDependencies: downgraded tap from ^13.0.0-rc.18 to ^12.7.0 and added @​npmcli/template-oss@​4.17.0 (v5.7.2, package source)
• Removed CHANGELOG.md file from package distribution (v5.7.2, package source)

References (5)

[1]: semver is a transitive dependency of require_optional (^5.1.0), which is used by mongodb-core, not directly by application code

node-restful-app/package-lock.json

Line 870 in e5a4e19

"semver": "^5.1.0"

[2]: Current semver version is 5.7.2, upgrade includes security fixes for ReDoS vulnerabilities

node-restful-app/package-lock.json

Line 897 in e5a4e19

"node_modules/semver": {

[3]: Application uses mongodb driver (line 8-9) which internally depends on semver; no direct semver usage found in any application code

node-restful-app/app.js

Line 8 in e5a4e19

var mongo = require('mongodb');

[4]: No direct dependency on semver listed; mongodb and monk are the only database-related direct dependencies

node-restful-app/package.json

Line 8 in e5a4e19

"dependencies": {

[5]: Dependency chain: mongodb-core depends on require_optional, which depends on semver, keeping the package isolated from direct user input

node-restful-app/package-lock.json

Line 613 in e5a4e19

"require_optional": "^1.0.1"

---

fossabot analyzed this PR using dependency research. View this analysis on the web