Skip to content

fix(deps): update npm to ^10.9.3 #972

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 26, 2025
Merged

fix(deps): update npm to ^10.9.3 #972

merged 1 commit into from
Jun 26, 2025

Conversation

@MikeMcC399
Copy link
Contributor

@MikeMcC399 MikeMcC399 commented Jun 26, 2025
edited
Loading

Situation

  • Before the release of npm@10.9.3, installing @semantic-release/npm reported a low severity vulnerability
  • For such existing projects, npm audit fix continues to reports that the vulnerability cannot be fixed and refers to GHSA-v6h2-p8h4-qcjw (CVE-2025-5889 - brace-expansion Regular Expression Denial of Service vulnerability)
  • Since the release of npm@10.9.3, a new installation of @semantic-release/npm reports no vulnerability
  • Uninstalling and re-installing semantic-release and / or @semantic-release/npm also works around the issue

Change

Update npm in package.json dependencies from ^10.5.0 to ^10.9.3

npm@10.9.3 includes the fixed dependency brace-expansion@2.0.2

Note

@MikeMcC399 MikeMcC399 marked this pull request as ready for review June 26, 2025 08:25
@MikeMcC399 MikeMcC399 mentioned this pull request Jun 26, 2025
Closed
travi
travi approved these changes Jun 26, 2025
View reviewed changes
Copy link
Member

@travi travi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@travi travi enabled auto-merge (squash) June 26, 2025 11:46
@travi travi merged commit 93e0937 into semantic-release:master Jun 26, 2025
6 checks passed
@github-actions
Copy link

github-actions bot commented Jun 26, 2025

🎉 This PR is included in version 12.0.2 🎉

The release is available on:

Your semantic-release bot 📦🚀

@MikeMcC399
Copy link
Contributor Author

MikeMcC399 commented Jun 26, 2025

@travi

Thanks!

Thanks also for merging! I've checked it out on two repos that were previously reporting the vulnerability and everything is now fine 👍🏻

@MikeMcC399 MikeMcC399 deleted the update/npm branch June 26, 2025 12:04
electroluxcode pushed a commit to electroluxcode/npm that referenced this pull request Jul 20, 2025
@semantic-release-bot
chore(release): v1.1.1 [skip ci]
ab0d0e1 
## [1.1.1](v1.1.0...v1.1.1) (2025-07-20)

### Bug Fixes

* **deps:** update npm to ^10.9.3 ([semantic-release#972](https://github.com/electroluxcode/npm/issues/972)) ([93e0937](93e0937))
electroluxcode pushed a commit to electroluxcode/npm that referenced this pull request Aug 1, 2025
@semantic-release-bot
chore(release): v1.1.1 [skip ci]
129f42f 
## [1.1.1](v1.1.0...v1.1.1) (2025-08-01)

### Bug Fixes

* **deps:** update npm to ^10.9.3 ([semantic-release#972](https://github.com/electroluxcode/npm/issues/972)) ([93e0937](93e0937))
@github-actions
Copy link

github-actions bot commented Oct 13, 2025

🎉 This PR is included in version 13.0.0-beta.2 🎉

The release is available on:

Your semantic-release bot 📦🚀

@github-actions
Copy link

github-actions bot commented Oct 13, 2025

🎉 This PR is included in version 13.0.0-alpha.16 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@travi travi travi approved these changes

Assignees

No one assigned

Labels

released on @alpha released on @beta released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

brace-expansion@2.0.1 unfixable low vulnerability (CVE-2025-5889)

2 participants

@MikeMcC399 @travi