Semver, the essential semantic version parser utilized by npm, saw a notable update moving from version 5.3.0 to 5.4.0. Both versions maintain the same core purpose and ISC license, ensuring developers can rely on a consistent and freely usable tool. The repository remains the same, pointing to the official npm/node-semver GitHub location.
A key difference lies in the release date. Version 5.4.0 was published on July 24, 2017, marking roughly a year after the release of version 5.3.0 on July 14, 2016. This temporal gap signals accumulated enhancements, bug fixes, and potentially new features incorporated into the newer version.
The most significant difference for developers is the change in devDependencies. Version 5.3.0 relied on tap testing framework version ^2.0.0, while version 5.4.0 moved to tap version ^10.7.0. This is a substantial jump in the testing dependency, indicating a probable modernization of the testing suite. Developers that contribute to the semver package should update the tap dependency. Users of the library benefit from improved reliability and code quality. Developers integrating semver into their projects should be aware of the updated testing framework when contributing or debugging, but it doesn’t impact the library usage. The tarball URLs differ, as they each point to their respective versions on the npm registry.
All the vulnerabilities related to the version 5.4.0 of the package
semver vulnerable to Regular Expression Denial of Service
Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
