The semver tag on WindowsForum.com covers discussions about the semantic versioning parser widely used in the Node.js and npm ecosystems. Content focuses on security vulnerabilities, particularly CVE-2022-25883, a Regular Expression Denial of Service (ReDoS) flaw in the semver package that could crash Node.js processes when parsing untrusted version range input. Fixes were released in semver versions 5.7.2, 6.3.1, and 7.5.2. Topics include patching, mitigation strategies, and safeguarding Node.js applications. The tag is relevant for developers and IT professionals managing npm dependencies and addressing security issues in the JavaScript ecosystem.
-
The semver package—ubiquitous in the npm ecosystem—contained a Regular Expression Denial of Service (ReDoS) flaw that lets attackers hang or crash Node.js processes when untrusted input is parsed as a version range, and the vulnerability is tracked as CVE-2022-25883 with fixes released in semver...