Monitoring ua-parser-js package dependency #123
Description
This package has ua-parser-js package as one of devDependencies, and this package is in package.json
"devDependencies": {
...
"ua-parser-js": "^0.7.28",
...
}
According to CISA,
CISA urges users and administers using compromised ua-parser-js versions 0.7.29, 0.8.0, and 1.0.0 to update to the respective patched versions: 0.7.30, 0.8.1, 1.0.1
https://us-cert.cisa.gov/ncas/current-activity/2021/10/22/malware-discovered-popular-npm-package-ua-parser-js
Is this package safe to bump up the version to 0.7.30 or higher? Does "^0.7.28" guarantee that this package will not install compromised versions on npm install?