Update @expo/image-utils to avoid semver CVE-2022-25883 #16
Description
Hi Airship team 👋
while running a dependency vulnerability scan on an Expo project that uses airship-expo-plugin, I noticed that the plugin pulls in a vulnerable version of semver through @expo/image-utils.
Current situation
In my project’s dependency tree:
airship-expo-plugin@2.1.0@expo/image-utils@0.4.2(via^0.4.1)semver@7.3.2
Security tools (e.g. Wiz / GitHub / Snyk) flag semver@7.3.2 as vulnerable to CVE-2022-25883, which is fixed in semver >= 7.5.2.
The Airship Expo plugin itself is only used at build / config time, so the practical risk is probably low (ReDoS on crafted version ranges, no untrusted input involved in normal use). But it still shows up as a High finding in security reports.
Suggested change
Bump @expo/image-utils in airship-expo-plugin to a version that depends on a fixed semver:
// package.json
- "@expo/image-utils": "^0.4.1"
+ "@expo/image-utils": "^0.8.7"Thanks!