Skip to content

fix(deps): update npm to ^10.9.3 #972

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 26, 2025
Merged

fix(deps): update npm to ^10.9.3 #972

merged 1 commit into from
Jun 26, 2025

Conversation

MikeMcC399
Copy link
Contributor

Situation

  • Before the release of [email protected], installing @semantic-release/npm reported a low severity vulnerability
  • For such existing projects, npm audit fix continues to reports that the vulnerability cannot be fixed and refers to GHSA-v6h2-p8h4-qcjw (CVE-2025-5889 - brace-expansion Regular Expression Denial of Service vulnerability)
  • Since the release of [email protected], a new installation of @semantic-release/npm reports no vulnerability
  • Uninstalling and re-installing semantic-release and / or @semantic-release/npm also works around the issue

Change

Update npm in package.json dependencies from ^10.5.0 to ^10.9.3

[email protected] includes the fixed dependency [email protected]

Note

@MikeMcC399 MikeMcC399 marked this pull request as ready for review June 26, 2025 08:25
@MikeMcC399 MikeMcC399 mentioned this pull request Jun 26, 2025
Closed
travi
travi approved these changes Jun 26, 2025
View reviewed changes
Copy link
Member

@travi travi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@travi travi enabled auto-merge (squash) June 26, 2025 11:46
@travi travi merged commit 93e0937 into semantic-release:master Jun 26, 2025
6 checks passed
@github-actions GitHub Actions
Copy link

🎉 This PR is included in version 12.0.2 🎉

The release is available on:

Your semantic-release bot 📦🚀

@MikeMcC399
Copy link
Contributor Author

@travi

Thanks!

Thanks also for merging! I've checked it out on two repos that were previously reporting the vulnerability and everything is now fine 👍🏻

@MikeMcC399 MikeMcC399 deleted the update/npm branch June 26, 2025 12:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@travi travi travi approved these changes

Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[email protected] unfixable low vulnerability (CVE-2025-5889)
2 participants
@MikeMcC399 @travi