Semver version 7.3.7 represents a minor update over its predecessor, version 7.3.6, within the widely used semantic version parser library. Both versions maintain the same core functionality, description, and licensing under ISC. The repository and author remain unchanged, indicating continuity in maintenance and origin.
The key differences lie within the dependency specifications and the distribution package. Version 7.3.7 exhibits a shift in the lru-cache dependency, specifying a version range of ^6.0.0. This contrasts with version 7.3.6, which requires lru-cache version ^7.4.0. This likely reflects a decision to broaden compatibility, potentially addressing compatibility issues with newer lru-cache releases or accommodating users with older project setups. From a developer perspective, this change suggests a higher degree of backward compatibility.
Additionally, the devDependencies show a change in @npmcli/template-oss from version 3.2.2 in 7.3.6 to 3.3.2 in 7.3.7. This is a development dependency, so it will affect the developers that contribute to the library, not the users of the library. The unpacked size of the distribution also sees a minor increase from 87319 to 87418, which correlates to a minor change in the library. Finally, version 7.3.7 was released on April 12, 2022, subsequent to version 7.3.6's release on April 6, 2022. These changes signify a regular maintenance update or patch within the semver library. Developers should review the implications of the lru-cache dependency adjustment in their projects.
All the vulnerabilities related to the version 7.3.7 of the package
semver vulnerable to Regular Expression Denial of Service
Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
