You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As of today (23 June 2023), running npm audit on a project that uses node-zopfli results in the following audit report:
semver <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/semver
node-abi 2.1.2 - 2.30.1
Depends on vulnerable versions of semver
node_modules/node-abi
prebuild-install 2.5.1 - 6.1.4
Depends on vulnerable versions of node-abi
node_modules/prebuild-install
node-zopfli >=2.1.3
Depends on vulnerable versions of prebuild-install
node_modules/node-zopfli
The vulnerability is arising from node-zopli's dependency on the semver package, which is reported as being vulnerable to Regular Expression Denial of Service: GHSA-c2qf-rxjj-qqgw
Trying npm audit fix --forcecauses npm to try to downgrade node-zopfli to 2.0.3, which ultimately fails with compilation errors.
As of today (23 June 2023), running
npm audit
on a project that uses node-zopfli results in the following audit report:The vulnerability is arising from node-zopli's dependency on the semver package, which is reported as being vulnerable to Regular Expression Denial of Service: GHSA-c2qf-rxjj-qqgw
Trying
npm audit fix --force
causes npm to try to downgrade node-zopfli to 2.0.3, which ultimately fails with compilation errors.A fix for semver is available: https://github.com/npm/node-semver/releases/tag/v7.5.3
Please update node-zopfli's dependency tree to address this vulnerability.
The text was updated successfully, but these errors were encountered: