Semver, a crucial npm package for semantic version parsing, saw a minor update from version 1.0.11 to 1.0.12. While both versions share the same core description as "The semantic version parser used by npm," identical dependencies (none), development dependencies (relying on tap version "0.x >=0.0.4"), and licensing under the MIT license (with a link to the license on GitHub), there are subtle differences. The most notable difference is the release date. Version 1.0.12 was released on November 18, 2011, while version 1.0.11 was available three days earlier, on November 15, 2011. From a practical perspective for developers, this three-day gap likely signifies bug fixes, minor improvements, or internal refactoring. Although the package description doesn't explicitly outline these changes, developers using semver should consider upgrading to the newest 1.0.12 to benefit from any potential stability or performance enhancements implemented. Both versions access the same repository and use npm tarballs for distribution, ensuring a consistent access model for all users. As with any library, keeping packages up-to-date is generally recommended to reduce potential security risks and incompatibilities.
All the vulnerabilities related to the version 1.0.12 of the package
Regular Expression Denial of Service in semver
Versions 4.3.1 and earlier of semver are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed.
Update to version 4.3.2 or later
semver vulnerable to Regular Expression Denial of Service
Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
