Semver, a crucial package for semantic version parsing in npm, saw a notable update from version 1.1.4 to 2.0.1. This upgrade introduced several changes important for developers managing dependencies. One key difference lies in the addition of uglify-js as a development dependency in version 2.0.1, specifically version ~2.3.6. This suggests enhanced minification or code optimization processes were implemented for testing or build purposes. Furthermore, the license information evolved. Version 1.1.4 specified a MIT license with a URL pointing to the license file on GitHub, while version 2.0.1 simplifies this to a BSD license.
The release dates also highlight a significant gap, with version 1.1.4 being released in March 2013 and version 2.0.1 in June 2013, marking a period of active development and improvement. Developers should note the potential impact of these changes on their projects. The switch to a BSD license might have legal implications depending on your project's licensing strategy. The inclusion of uglify-js could indicate a more robust testing or build pipeline, leading to greater stability and reliability in version parsing. These details are critical for developers to evaluate when deciding which semver version best suits their specific project needs.
All the vulnerabilities related to the version 2.0.1 of the package
Regular Expression Denial of Service in semver
Versions 4.3.1 and earlier of semver are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed.
Update to version 4.3.2 or later
semver vulnerable to Regular Expression Denial of Service
Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
