Skip to content

fix(deps): update @semantic-release/npm to ^12.0.2#3791

Merged
travi merged 1 commit into
semantic-release:masterfrom
MikeMcC399:update/semantic-release-npm
Jun 29, 2025
Merged

fix(deps): update @semantic-release/npm to ^12.0.2#3791
travi merged 1 commit into
semantic-release:masterfrom
MikeMcC399:update/semantic-release-npm

Conversation

@MikeMcC399

@MikeMcC399 MikeMcC399 commented Jun 29, 2025

Copy link
Copy Markdown
Contributor

Situation

  • Before the release of npm@10.9.3, installing semantic-release reported a low severity vulnerability
  • For such existing projects, npm audit fix may continue to report that the vulnerability cannot be fixed and refers to GHSA-v6h2-p8h4-qcjw (CVE-2025-5889 - brace-expansion Regular Expression Denial of Service vulnerability)
  • Since the release of npm@10.9.3, a complete new installation of semantic-release reports no vulnerability
  • Uninstalling and re-installing semantic-release also works around the issue
  • Executing npm ci in this repo https://github.com/semantic-release/semantic-release/ also displays the above unfixable vulnerability

Change

Update @semantic-release/npm in package.json dependencies from ^12.0.0 to ^12.0.2

@semantic-release/npm@12.0.2 contains the update to

npm@10.9.3 which includes the fixed dependency

brace-expansion@2.0.2

Note

The update was carried out as follows on Ubuntu 24.04.2 LTS, with Node.js 22.17.0 LTS, Corepack 0.33.0

rm -rf node_modules
corepack enable npm
npm update @semantic-release/npm --save

@MikeMcC399 MikeMcC399 marked this pull request as ready for review June 29, 2025 08:28
@babblebey babblebey requested a review from travi June 29, 2025 15:43

@travi travi left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@travi travi merged commit 93177d0 into semantic-release:master Jun 29, 2025
6 checks passed
@github-actions

Copy link
Copy Markdown

🎉 This PR is included in version 24.2.6 🎉

The release is available on:

Your semantic-release bot 📦🚀

@MikeMcC399 MikeMcC399 deleted the update/semantic-release-npm branch June 29, 2025 16:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

brace-expansion@2.0.1 unfixable low vulnerability (CVE-2025-5889)

2 participants