Is v6 vulnerable?/Can the fix be backported?

[loren138]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

GitHub is flagging https://nvd.nist.gov/vuln/detail/CVE-2022-25883 on libraries such as babel that use semver v6
These libraries cannot upgrade to v7 (see babel/babel#15720 (comment)) and as best I can tell semver v6 does not have the new Range function in question

Expected Behavior

If v6 is vulnerable, could the fix be backported?
If not, can v6 be excluded from the security advisory. (Many of us work at companies where leadership expects there to be no open security advisories on our dependencies, so it's nicer if we can close them vs having to explain that we don't use user input in that case and it's not a problem.)

Steps To Reproduce

Use babel, check github security advisories

Environment

No response

[wraithgar]

Yes v6 is affected. The issue is in the range constructor itself, the advisory is incomplete.

Please see the discussion in #564. It is not currently planned given the age, and state of the CI and testing, and lack of release process in those old versions. semver@7 was published in 2019, and the breaking changes were a code refactor, dropping old node versions, and using const/let/arrow functions.

[ljharb]

@wraithgar i'm very interested in having the backport (since i'm permanently stuck on v6 on most projects due to the dropped node versions), i'd be more than happy to pull all the CI stuff onto a branch off of v6, and make a PR, if that's something you'd be willing to merge?

[wraithgar]

You can try but iirc the CI "stuff" isn't currently set up to handle back-ported publishes. It's not something we've tackled yet, nor put any priority into.

[loren138]

Thanks for the link to discussion about this. I missed that PR.

Re others backporting: on the linked PR, it looks like microsoft has already backported the fix to v5 and offered to backport it to v6 because those versions are used within VSCode: #564 (comment)
So I'm not sure if there is need for further work from the community, seems like it's up to the maintainer(s) at this point