Twistlock finds semver CVE-2022-25883 (M)

[praveendiwakar1]

Hi team ,
there is a security vulnerability in semver package being consumed via ututf7@1.0.2 as below,

`-- imap@0.8.19
    `-- utf7@1.0.2
      `-- semver@5.3.0

As there is no repo for utf7 ,and we are consuming the semver from imap. Please pinned the semver 7.5.4 to resolve the issue.

[s100]

As imap seems to be no longer maintained, and nor is utf7, a suggested workaround is to set the following in your own package.json:

{
  "overrides": {
    "utf7": {
      "semver": "^5.7.2"
    }
  }
}

Alternatively, there are several forks of utf7 which have this vulnerability fixed, utf7.1 and safe-utf7. #911 switches to safe-utf7 and will fix this issue.

[s100]

Upstream issue in utf7 is here.