I'm facing security vulnerabilities in my npm audit report, specifically related to semver (versions 7.0.0 - 7.5.1) and [email protected], both rated as moderate severity.
Here are the details from the npm audit report:
audit report:
semver 7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/@expo/image-utils/node_modules/semver
@expo/image-utils >=0.3.10-alpha.0
Depends on vulnerable versions of semver
node_modules/@expo/image-utils
@expo/prebuild-config *
Depends on vulnerable versions of @expo/image-utils
node_modules/@expo/prebuild-config
@expo/cli >=0.1.0
Depends on vulnerable versions of @expo/prebuild-config
node_modules/@expo/cli
expo >=45.0.0-beta.1
Depends on vulnerable versions of @expo/cli
node_modules/expo
5 moderate severity vulnerabilities
I've already tried running "npm audit fix --force," but it seems to introduce more issues than it resolves. After that command, I end up with 7 moderate and even 9 high severity vulnerabilities.
I'm seeking guidance on how to resolve these vulnerabilities without upgrading to [email protected]. I prefer to keep [email protected] if possible, as updating to [email protected] might cause other compatibility issues.
Additionally, I suspect that some packages may be interdependent, and updating one might create further problems. Should I consider downgrading certain packages to a version where the vulnerabilities are not present?
Any help or suggestions would be greatly appreciated. Thank you in advance for your support!