Backport the ReDoS fix in v2.0.0

[XhmikosR]

Hey, @sindresorhus. I know you might not support v2.0.0, but there are so many packages that are still using it: https://www.npmjs.com/package/semver-regex?activeTab=versions

2.0.0
1,955,620

Would it be possible to backport the fix for 2.x too?

Thanks!

PS. the latest npm tag points to v3.1.3, not sure if that's intentional.

[sindresorhus]

I don't plan to backport to v2. v2 is a very old release. I generally only backport one release back.

[sindresorhus]

but there are so many packages that are still using it:

You don't know that. It could be a single popular dependency that never updated.

[sindresorhus]

PS. the latest npm tag points to v3.1.3, not sure if that's intentional.

Thanks for letting me know. Fixed.

[XhmikosR]

The issue for me is this dep chain: bin-wrapper -> find-versions -> semver-regex.

I'm only judging by the numbers, and the numbers are big.

[sindresorhus]

The "vulnerability" does not apply to bin-wrapper.

[sindresorhus]

npm/rfcs#422 would solve this.

[XhmikosR]

Yup, agreed, thanks for the info!

…

On Sun, Oct 3, 2021, 08:59 Sindre Sorhus ***@***.***> wrote: npm/rfcs#422 <npm/rfcs#422> would solve this. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#22 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AACVLNN475WNFYNQXVRRO4DUE7WMJANCNFSM5FHGA7VA> .

[lorand-horvath]

@sindresorhus I have this dep chain: bin-wrapper > bin-version-check > bin-version > find-versions > semver-regex which audits as vulnerable to ReDoS because it depends on the unpatched semver-regex 2.0.0
Is there something I can do to fix this? It's driving me crazy.