postman-code-generators icon indicating copy to clipboard operation
postman-code-generators copied to clipboard
verified publisher icon postmanlabs

[Security] semver (dependency) vulnerable to Regular Expression Denial of Service

Open KareemMAX opened this issue 1 year ago • 0 comments

Describe the bug This package is dependent on an old version of postman-collection which is dependent on a vulnerable semver version.

To Reproduce When running npm audit the following output appears:

semver  7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/postman-collection/node_modules/semver
  postman-collection  3.6.0-beta.1 - 4.1.7
  Depends on vulnerable versions of semver
  node_modules/postman-collection
    postman-code-generators  >=1.1.0
    Depends on vulnerable versions of postman-collection
    node_modules/postman-code-generators

3 moderate severity vulnerabilities

Fix suggestion Update postman-collection to version 4.4.0.

Additional context

  • https://github.com/advisories/GHSA-c2qf-rxjj-qqgw

KareemMAX avatar Mar 25 '24 18:03 KareemMAX