Semver, a crucial package for semantic version parsing used extensively by npm, saw a minor version bump from 1.1.3 to 1.1.4. Both versions share the same core functionality, relying on the "tap" testing framework (version 0.x >=0.0.4) for development-time quality assurance. They are also both released under the MIT License, hosted on GitHub, ensuring broad usability and contribution possibilities. The key difference lies in the release date: version 1.1.4 was published on March 1st, 2013, while version 1.1.3 was released on February 6th, 2013.
For developers, this update likely represents bug fixes, performance improvements, or minor feature additions implemented between those dates. While the core API and usage probably remain consistent, upgrading from 1.1.3 to 1.1.4 is recommended for enhanced stability and potentially better efficiency. Checking the changelog or release notes (typically found in the GitHub repository) for detailed information on the specific changes introduced in 1.1.4 is advised ensuring seamless integration and harness the latest refinements. The package being so widely adopted within the npm ecosystem, even small changes can have a large impact on the dependency trees of user applications.
All the vulnerabilities related to the version 1.1.4 of the package
Regular Expression Denial of Service in semver
Versions 4.3.1 and earlier of semver are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed.
Update to version 4.3.2 or later
semver vulnerable to Regular Expression Denial of Service
Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
