Semver, the semantic version parser vital to npm, saw a small but significant update moving from version 1.1.0 to 1.1.1. While the core description remains consistent – "The semantic version parser used by npm" – a crucial change lies in the release date. Version 1.1.1 was published on November 29th, 2012, following version 1.1.0 released on October 2nd, 2012. This indicates a relatively quick turnaround, likely addressing bug fixes or minor enhancements discovered after the initial 1.1.0 release.
For developers, both versions share identical characteristics regarding development dependencies, relying on tap version "0.x >=0.0.4" for testing. The MIT license, accessible through the provided URL, ensures developers have broad usage rights. Furthermore, the repository URL remains unchanged, pointing to the git://github.com/isaacs/node-semver.git repository, allowing developers to examine the source code, contribute, and stay updated. The dist section contains the essential tarball URL for each version, allowing developers to download directly from the npm registry. Although not explicitly stated, the short interval between releases suggests that upgrading from 1.1.0 to 1.1.1 is recommended for stability and to benefit from any potential fixes introduced in the newer patch version. The core functionality for parsing semantic versions would likely remain fully compatible simplifying updating.
All the vulnerabilities related to the version 1.1.1 of the package
Regular Expression Denial of Service in semver
Versions 4.3.1 and earlier of semver are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed.
Update to version 4.3.2 or later
semver vulnerable to Regular Expression Denial of Service
Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
