From a453c0e0ef108e0701ba44fcf26fe6a6f2cbb570 Mon Sep 17 00:00:00 2001 From: Will Harney Date: Tue, 26 Aug 2025 16:27:39 -0400 Subject: [PATCH 1/2] chore(deps): unpin semver all deps have upgraded to address the vulnerability https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795 --- package.json | 2 -- yarn.lock | 19 ++++++++++++++++++- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/package.json b/package.json index a75b7550e1..d01ba5e396 100644 --- a/package.json +++ b/package.json @@ -98,14 +98,12 @@ "resolutions": { "//": { "http-cache-semantics": "Pinned to address security vulnerability", - "semver": "Pinned to address security vulnerability", "@types/estree": [ "Used by us and our dependencies. Because it's a type definition package,", "we need everyone to use the same types (mixing versions breaks stuff)." ] }, "http-cache-semantics": "4.1.1", - "semver": "7.6.0", "@types/estree": "^1.0.8" }, "dependencies": {} diff --git a/yarn.lock b/yarn.lock index 61a2db0cfe..2486ee2819 100644 --- a/yarn.lock +++ b/yarn.lock @@ -2109,9 +2109,11 @@ "@lwc/eslint-plugin-lwc-internal@link:./scripts/eslint-plugin": version "0.0.0" + uid "" "@lwc/test-utils-lwc-internals@link:./scripts/test-utils": version "0.0.0" + uid "" "@napi-rs/wasm-runtime@0.2.4": version "0.2.4" @@ -12225,13 +12227,28 @@ semver-truncate@^1.1.2: dependencies: semver "^5.3.0" -semver@7.6.0, semver@^5.3.0, semver@^5.5.0, semver@^5.6.0, semver@^6.3.0, semver@^6.3.1, semver@^7.1.1, semver@^7.3.2, semver@^7.3.5, semver@^7.5.3, semver@^7.5.4, semver@^7.6.0, semver@^7.6.3, semver@^7.7.2: +semver@^5.3.0, semver@^5.5.0, semver@^5.6.0: + version "5.7.2" + resolved "https://registry.yarnpkg.com/semver/-/semver-5.7.2.tgz#48d55db737c3287cd4835e17fa13feace1c41ef8" + integrity sha512-cBznnQ9KjJqU67B52RMC65CMarK2600WFnbkcaiwWq3xy/5haFJlshgnpjovMVJ+Hff49d8GEn0b87C5pDQ10g== + +semver@^6.3.0, semver@^6.3.1: + version "6.3.1" + resolved "https://registry.yarnpkg.com/semver/-/semver-6.3.1.tgz#556d2ef8689146e46dcea4bfdd095f3434dffcb4" + integrity sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA== + +semver@^7.1.1, semver@^7.3.2, semver@^7.3.5, semver@^7.5.3, semver@^7.5.4, semver@^7.6.0: version "7.6.0" resolved "https://registry.yarnpkg.com/semver/-/semver-7.6.0.tgz#1a46a4db4bffcccd97b743b5005c8325f23d4e2d" integrity sha512-EnwXhrlwXMk9gKu5/flx5sv/an57AkRplG3hTK68W7FRDN+k+OWBj65M7719OkA82XLBxrcX0KSHj+X5COhOVg== dependencies: lru-cache "^6.0.0" +semver@^7.6.3, semver@^7.7.2: + version "7.7.2" + resolved "https://registry.yarnpkg.com/semver/-/semver-7.7.2.tgz#67d99fdcd35cec21e6f8b87a7fd515a33f982b58" + integrity sha512-RF0Fw+rO5AMf9MAyaRXI4AV0Ulj5lMHqVxxdSgiVbixSCXoEmmX/jk0CuJw4+3SqroYO9VoUh+HcuJivvtJemA== + send@0.19.0: version "0.19.0" resolved "https://registry.yarnpkg.com/send/-/send-0.19.0.tgz#bbc5a388c8ea6c048967049dbeac0e4a3f09d7f8" From 82e509d04ae369cf6a2aae021bdd806524953d18 Mon Sep 17 00:00:00 2001 From: Will Harney Date: Tue, 26 Aug 2025 16:37:03 -0400 Subject: [PATCH 2/2] chore(deps): bump http-cache-semantics --- package.json | 2 +- yarn.lock | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/package.json b/package.json index d01ba5e396..8d040902d4 100644 --- a/package.json +++ b/package.json @@ -103,7 +103,7 @@ "we need everyone to use the same types (mixing versions breaks stuff)." ] }, - "http-cache-semantics": "4.1.1", + "http-cache-semantics": "4.2.0", "@types/estree": "^1.0.8" }, "dependencies": {} diff --git a/yarn.lock b/yarn.lock index 2486ee2819..9f55926323 100644 --- a/yarn.lock +++ b/yarn.lock @@ -8214,10 +8214,10 @@ http-assert@^1.3.0: deep-equal "~1.0.1" http-errors "~1.8.0" -http-cache-semantics@3.8.1, http-cache-semantics@4.1.1, http-cache-semantics@^4.0.0, http-cache-semantics@^4.1.0, http-cache-semantics@^4.1.1: - version "4.1.1" - resolved "https://registry.yarnpkg.com/http-cache-semantics/-/http-cache-semantics-4.1.1.tgz#abe02fcb2985460bf0323be664436ec3476a6d5a" - integrity sha512-er295DKPVsV82j5kw1Gjt+ADA/XYHsajl82cGNQG2eyoPkvgUhX+nDIyelzhIWbbsXP39EHcI6l5tYs2FYqYXQ== +http-cache-semantics@3.8.1, http-cache-semantics@4.2.0, http-cache-semantics@^4.0.0, http-cache-semantics@^4.1.0, http-cache-semantics@^4.1.1: + version "4.2.0" + resolved "https://registry.yarnpkg.com/http-cache-semantics/-/http-cache-semantics-4.2.0.tgz#205f4db64f8562b76a4ff9235aa5279839a09dd5" + integrity sha512-dTxcvPXqPvXBQpq5dUr6mEMJX4oIEFv6bwom3FDwKRDsuIjjJGANqhBuoAn9c1RQJIdAKav33ED65E2ys+87QQ== http-errors@2.0.0, http-errors@^2.0.0: version "2.0.0"