Reaper is vulnerable to CVE-2022-25833 in the semver bundle provided

[aadhar-agarwal]

Project board link

NVD - CVE-2022-25883

• versions of the semver package before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS).

Reaper is taking a dependency on semver version 2.3.2 -> node_modules/bower/lib/node_module/semver/package.json

Therefore, Reaper is vulnerable to CVE-2022-25883. The patch to fix this has been merged upstream in node-semver v7, v6 and v5.

┆Issue is synchronized with this Jira Story by Unito
┆Issue Number: REAP-34