Semver, the semantic version parser vital for npm package management, saw a significant update moving from version 3.0.1 to 4.0.0. While both versions share the same fundamental purpose and license (BSD), the upgrade represents a major version bump, indicating potentially breaking changes or significant new features. Developers should note the implications of this jump.
Both versions rely on tap for testing and uglify-js for minification during development, showcasing consistent development dependencies. The core functionality related to semantic version parsing remains the same, enabling developers to compare, validate, and manipulate version strings according to semantic versioning principles. The GitHub repository URL remains constant, assuring developers of a consistent source for the project.
The main difference lies in the version number itself. A move from 3.x.x to 4.x.x implies substantial modifications, be it API alterations, feature enhancements, or bug fixes significant enough to warrant a major version update. A developer considering upgrading should carefully examine the changelog or release notes associated with version 4.0.0 to understand the specific changes and potential impact on their existing code. 3.0.1 was released in July 2014, while 4.0.0 was released in September 2014.
All the vulnerabilities related to the version 4.0.0 of the package
Regular Expression Denial of Service in semver
Versions 4.3.1 and earlier of semver are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed.
Update to version 4.3.2 or later
semver vulnerable to Regular Expression Denial of Service
Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
