Semver, a semantic version parser crucial for Node.js package management, saw a minor version bump from 2.0.3 to 2.0.4 in June 2013. While the core description remains constant – "The semantic version parser used by npm" – the key difference lies in a newer packaged version and subtle timing of the release. Comparing the two manifests, both versions share identical development dependencies: the testing framework 'tap' (version 0.x, specifically requiring >=0.0.4) and the JavaScript minifier 'uglify-js' (version ~2.3.6). Both versions are licensed under the BSD license and share the same source code repository on GitHub. Crucially, for developers employing semver, this points to a patch update likely focusing on bug fixes or minor enhancements rather than groundbreaking feature additions or API changes. The small delta in release times, just under 20 minutes separating the versions, further suggests a quick turnaround, potentially addressing an issue discovered immediately after the initial 2.0.3 release. Using semver allows developers to define version ranges and dependencies, greatly simplifying the upgrading process and dependency management in JavaScript projects. The semver library is very popular in the Javascript ecosystem as it's used by npm itself, but also by tools like yarn, pnpm or bower. If you are a developer that uses Javascript for your daily job installing this package is a must.
All the vulnerabilities related to the version 2.0.4 of the package
Regular Expression Denial of Service in semver
Versions 4.3.1 and earlier of semver are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed.
Update to version 4.3.2 or later
semver vulnerable to Regular Expression Denial of Service
Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
