node-postgres icon indicating copy to clipboard operation
node-postgres copied to clipboard
verified publisher icon brianc

Use of semver package in pg module

Open jilvin opened this issue 5 years ago • 5 comments

Current version of semver is 7.1.3. The package.json of pg module depends on semver version 4.3.2 . Is this intentional?

A license field update was carried out in the package semver after 4.3.2 . https://github.com/npm/node-semver/commit/70d7835868fea1d43f625098cc947b48e7f87e9f

Users of pg module misses out on this critical update in semver package.

jilvin avatar Mar 12 '20 13:03 jilvin

Aren’t the BSD and ISC licenses equivalent in permissions? Not sure how that’s a critical update.

charmander avatar Mar 12 '20 21:03 charmander

IANAL

The issue was that license mentioned in the package.json was BSD and not BSD 3 Clause(new). The original BSD has an advertising clause. The commit referred updated both license and the licence field within package.json .

jilvin avatar Mar 13 '20 04:03 jilvin

spdx-expression-parse also chokes on the string "BSD" because that's not a valid identifier. See https://github.com/jslicense/spdx-expression-parse.js/issues/11

If you use LicenseWebpackPlugin and use spdx-satisfies as suggested in their documentation pg's dependency on this old version of semver will cause the plugin to choke.

kwasimensah avatar Apr 30 '20 15:04 kwasimensah

This code is so old it can probably be safely removed, honestly. It was added when I was adding breaking changes to pg-native relatively frequently. I'll see about just deleting it & managing it better w/ an optionalDependencies field in package.json or something.

brianc avatar May 08 '20 15:05 brianc

Hi, Semver 4.3.2 is marked as a High level vulnerability: https://security.snyk.io/package/npm/semver/4.3.2

SirAndrii avatar Sep 05 '23 18:09 SirAndrii