New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
npm audit is showing latest laravel-mix as using an insecure version of semver
(7.3.5)
#3364
Comments
Just adding some more details about the packages: |
I think we may be able to resolve this bumping babel-loader to the latest version. It looks like make-dir which has the vulnerable version of semver was removed from babel-loader's package.json file. I did not see anything about any breaking changes from v8 to v9 in https://github.com/babel/babel-loader/releases |
Is there any movement on this? |
@jonathan-gruenhut - I think so, I believe the vulnerable version was 7.3.5 and I am now seeing 7.5.4 on my installs: -- laravel-mix@6.0.49 +-- babel-loader@8.3.0 | `-- make-dir@3.1.0 | `-- semver@6.3.1 deduped +-- css-loader@5.2.7 | `-- semver@7.5.4 +-- postcss-loader@6.2.1 | `-- semver@7.5.4 +-- semver@7.5.4 `-- webpack-notifier@1.15.0 `-- node-notifier@9.0.1 `-- semver@7.5.4 If I am reading https://nvd.nist.gov/vuln/detail/CVE-2022-25883 correctly, it indicates that the issue was resolved in 7.5.2 (and 6.3.1). Are you still seeing an issue when you run npm audit? Have you tried doing an npm upgrade? |
My +1 to close this issue as resolved |
Resolved on audit fix, thanks |
npm list --depth=0
)node -v
): v18.2.0npm -v
): 8.9.0Description:
npm audit
is showing latest laravel-mix as using an insecure version ofsemver
(7.3.5)Steps To Reproduce:
Run
npm audit
on any laravel-mix project using 6.0.49 or lowerWorkaround:
npm audit --omit=dev
will pass sincelaravel-mix
is a dev dependencyThe text was updated successfully, but these errors were encountered: