{"ecosystem":"npm","package":"semver","version":null,"bugs":[{"id":59,"ecosystem":"npm","package_name":"semver","affected_version":"1.0.4","fixed_version":"4.3.2","bug_id":"osv:GHSA-x6fg-f45m-jf5q","title":"Regular Expression Denial of Service in semver","description":"Versions 4.3.1 and earlier of `semver` are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed.\n\n\n\n## Recommendation\n\nUpdate to version 4.3.2 or later","severity":"high","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2015-8855","labels":["CVE-2015-8855"],"created_at":"2026-04-19T04:30:09.033182+00:00","updated_at":"2026-04-19T04:30:09.033182+00:00"},{"id":58,"ecosystem":"npm","package_name":"semver","affected_version":"7.0.0","fixed_version":"7.5.2","bug_id":"osv:GHSA-c2qf-rxjj-qqgw","title":"semver vulnerable to Regular Expression Denial of Service","description":"Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.","severity":"high","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25883","labels":["CVE-2022-25883"],"created_at":"2026-04-19T04:30:09.031552+00:00","updated_at":"2026-04-19T04:30:09.031552+00:00"},{"id":89,"ecosystem":"npm","package_name":"semver","affected_version":"5.5.0","fixed_version":null,"bug_id":"github:607","title":"[BUG] diff prerelease changed between 7.3.8 and 7.5.4","description":"### Is there an existing issue for this?\r\n\r\n- [X] I have searched the existing issues\r\n\r\n### Current Behavior\r\n\r\na diff between a non prerelease version like `5.5.0` and a prerelease version on the same patch now creates a `major` diff while it previously was `prerelease`\r\n\r\nsee https://github.com/npm/node-semver/pull/566/files\r\n\r\n### Expected Behavior\r\n\r\nIt should be either `prerelease` or mention the breaking change it the changelog and why you think it should be that way. \r\n\r\n### Steps To Reproduce\r\n\r\n```ts\r\nimport semverDiff from 'semver/functions/diff';\r\n\r\n// is major\r\nconsole.log(semverDiff('1.0.0-alpha.1', '1.0.0'));\r\n```\r\n\r\n### Environment\r\n\r\n- npm: \r\n- Node: 16/18/20\r\n- OS: windows/linux and mac (all on CI failing due to this problem)\r\n- platform:\r\n","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/npm/node-semver/issues/607","labels":["Bug","Needs Triage"],"created_at":"2026-04-19T04:30:09.650052+00:00","updated_at":"2026-04-19T04:30:09.650052+00:00"},{"id":88,"ecosystem":"npm","package_name":"semver","affected_version":"14.15.0","fixed_version":null,"bug_id":"github:609","title":"Semver veracode Vulnerability CVE-2022-25883 | CWE-1333","description":"### Is there an existing issue for this?\n\n- [X] I have searched the existing issues\n\n### Current Behavior\n\nsemver is vulnerable to Regular Expression Denial Of Service (ReDoS)\r\nattacks. A malicious user is able to cause parsing slowdowns when\r\nuntrusted user data is provided as a range via the function\r\n`parseRange` due to the usage of regex expression with inefficient\r\ntime complexity.\r\n\r\nPlease find the below screenshot\r\n![image](https://github.com/npm/node-semver/assets/102598539/731bbe0c-7dfc-4fe2-9961-9d7f52f3d30c)\r\n\n\n### Expected Behavior\n\n_No response_\n\n### Steps To Reproduce\n\n_No response_\n\n### Environment\n\n- npm: 6.14.8\r\n- Node: v14.15.0\r\n- OS: WINDOWS\r\n- platform: Dell\r\n","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/npm/node-semver/issues/609","labels":["Bug","Needs Triage"],"created_at":"2026-04-19T04:30:09.649587+00:00","updated_at":"2026-04-19T04:30:09.649587+00:00"},{"id":87,"ecosystem":"npm","package_name":"semver","affected_version":"7.5.1","fixed_version":null,"bug_id":"github:611","title":"Semver veracode Vulnerability CVE-2022-25883","description":"### Is there an existing issue for this?\n\n- [X] I have searched the existing issues\n\n### Current Behavior\n\nReference Ticket: \r\nSemver veracode Vulnerability CVE-2022-25883 | CWE-1333 #609\r\n\r\nAs per suggestion we have upgraded to node v18x, still vulnerability exist. kindly help here\r\n\r\nAffected package file path: usr/local/lib/node_modules/npm/node_modules/semver/package.json\r\nAffect package version:7.5.1\r\nAffect package fix version: 7.5.2\r\nFinding Title: CVE-2022-25883 - semver\r\n\n\n### Expected Behavior\n\n_No response_\n\n### Steps To Reproduce\n\n1. In this environment...\r\n2. With this config...\r\n3. Run '...'\r\n4. See error...\r\n\n\n### Environment\n\n- npm:\r\n- Node:\r\n- OS:\r\n- platform:\r\n","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/npm/node-semver/issues/611","labels":["Bug","Needs Triage"],"created_at":"2026-04-19T04:30:09.649140+00:00","updated_at":"2026-04-19T04:30:09.649140+00:00"},{"id":86,"ecosystem":"npm","package_name":"semver","affected_version":"1.7.0","fixed_version":null,"bug_id":"github:618","title":"[BUG] Why does not satisfy 1.7.0-rc.0 with range ^1?","description":"### Is there an existing issue for this?\n\n- [X] I have searched the existing issues\n\n### Current Behavior\n\nWhy?\r\n* https://jubianchi.github.io/semver-check/#/^1/1.7.0-rc.2 satisfies true\r\n* semver.satisfies('1.7.0-rc.2', '^1') => false?!\n\n### Expected Behavior\n\n semver.satisfies('1.7.0-rc.2', '^1') => true\n\n### Steps To Reproduce\n\n* https://jubianchi.github.io/semver-check/#/^1/1.7.0-rc.2 satisfies true\r\n* semver.satisfies('1.7.0-rc.2', '^1') => false?!\n\n### Environment\n\n- pnpm: ^8\r\n- Node: ^20\r\n- OS: Mac\r\n- platform: Intel\r\n","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/npm/node-semver/issues/618","labels":["Bug","Needs Triage"],"created_at":"2026-04-19T04:30:09.648648+00:00","updated_at":"2026-04-19T04:30:09.648648+00:00"},{"id":85,"ecosystem":"npm","package_name":"semver","affected_version":"5.01.0","fixed_version":null,"bug_id":"github:619","title":"[BUG] Сompare major/minor versions starts with 0","description":"### Is there an existing issue for this?\n\n- [X] I have searched the existing issues\n\n### Current Behavior\n\nif the major/minor versions has more then one number and starts with `0` semver doesn't compare versions trully\n\n### Expected Behavior\n\nit should be work correctly\n\n### Steps To Reproduce\n\n```js\r\nimport semver from 'semver';\r\n\r\nsemver.satisfies('5.01.0', '>=4.93.0') => false\r\n```\r\n\r\n```js\r\nimport semver from 'semver';\r\n\r\nsemver.satisfies('5.1.01', '>=4.93.0') => false\r\n```\r\n\n\n### Environment\n\n- npm:\r\n- Node: 16/18/20\r\n- OS: windows/linux and mac\r\n- platform:\r\n","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/npm/node-semver/issues/619","labels":["Bug","Needs Triage"],"created_at":"2026-04-19T04:30:09.648051+00:00","updated_at":"2026-04-19T04:30:09.648051+00:00"},{"id":84,"ecosystem":"npm","package_name":"semver","affected_version":"13.2.3","fixed_version":null,"bug_id":"github:639","title":"Getting Semver Veracode vulnerability on angular project","description":"### Is there an existing issue for this?\n\n- [X] I have searched the existing issues\n\n### Current Behavior\n\nHi Team,\r\nIn our project we are getting semver vulnerability when we are updating semver 6.3.1/7.5.2/7.5.4 through,still it is picking 7.3.5 version in veracode scan.\r\nPlease find the below details\r\nAngular CLI version 13.2.3\r\nAngular core 13.2.2\r\nNode 14.15.0\r\nAfter updating node to 14.17.3 also same scan issue.\r\n\r\n![image](https://github.com/npm/node-semver/assets/102598539/7bd93ea9-2406-4b26-a831-2718e0297333)\r\n![image](https://github.com/npm/node-semver/assets/102598539/e573101a-71fa-4fe6-b6f7-75475c85c0a4)\r\n\n\n### Expected Behavior\n\n_No response_\n\n### Steps To Reproduce\n\n_No response_\n\n### Environment\n\n- npm: 8.13.2\r\n- Node:14.15.0\r\n- OS: Windows\r\n- platform: Dell Latitude 5521\r\n","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/npm/node-semver/issues/639","labels":["Bug","Needs Triage"],"created_at":"2026-04-19T04:30:09.647606+00:00","updated_at":"2026-04-19T04:30:09.647606+00:00"},{"id":83,"ecosystem":"npm","package_name":"semver","affected_version":"7.0.0","fixed_version":null,"bug_id":"github:640","title":"Vulnerabilities in semver package","description":"### Is there an existing issue for this?\n\n- [X] I have searched the existing issues\n\n### Current Behavior\n\nI've identified multiple moderate severity vulnerabilities in the semver package while using it in my project. These vulnerabilities are detailed in the output of npm audit. The affected versions of the semver package range from 7.0.0 to 7.5.1.\n\n### Expected Behavior\n\nI expect that the packages I use, including semver, do not have known vulnerabilities that could pose a security risk to my project.\r\n\r\nActual Behavior:\r\nThe npm audit command has reported several moderate severity vulnerabilities in the semver package, which is concerning for the security of my project.\n\n### Steps To Reproduce\n\nInstall the semver package by running npm install semver in your project.\r\nRun npm audit to check for vulnerabilities in your project's dependencies.\r\nExpected Behavior:\r\nI expect that the packages I use, including semver, do not have known vulnerabilities that could pose a security risk to my project.\n\n### Environment\n\n- npm: 9.8.1\r\n- Node: 18.18.1\r\n- OS: Windows 11\r\n- platform: Windows 11\r\n\r\nPS C:\\Users\\Manol\\OneDrive\\Documents\\Personal Programming Projects\\Expo\\Test> npm audit\r\n# npm audit report\r\n\r\nsemver  7.0.0 - 7.5.1\r\nSeverity: moderate\r\nsemver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw\r\nfix available via `npm audit fix --force`\r\nWill install expo-splash-screen@0.10.3, which is a breaking change\r\nnode_modules/@expo/image-utils/node_modules/semver\r\n  @expo/image-utils  >=0.3.10-alpha.0\r\n  Depends on vulnerable versions of semver\r\n  node_modules/@expo/image-utils\r\n    @expo/prebuild-config  *\r\n    Depends on vulnerable versions of @expo/image-utils\r\n    node_modules/@expo/prebuild-config\r\n      @expo/cli  >=0.1.0\r\n      Depends on vulnerable versions of @expo/prebuild-config\r\n      node_modules/@expo/cli\r\n        expo  >=45.0.0-beta.1\r\n        Depends on vulnerable versions of @expo/cli\r\n        node_modules/expo\r\n          expo-router  *\r\n          Depends on vulnerable versions of expo\r\n          Depends on vulnerable versions of expo-splash-screen\r\n          node_modules/expo-router\r\n      expo-splash-screen  >=0.11.0\r\n      Depends on vulnerable versions of @expo/prebuild-config\r\n      node_modules/expo-splash-screen\r\n\r\n7 moderate severity vulnerabilities\r\n\r\nTo address all issues (including breaking changes), run:\r\n  npm audit fix --force\r\nPS C:\\Users\\Manol\\OneDrive\\Documents\\Personal Programming Projects\\Expo\\Test> nvm -v\r\n1.1.11\r\n","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/npm/node-semver/issues/640","labels":["Bug","Needs Triage"],"created_at":"2026-04-19T04:30:09.647079+00:00","updated_at":"2026-04-19T04:30:09.647079+00:00"},{"id":82,"ecosystem":"npm","package_name":"semver","affected_version":"1.2.0","fixed_version":null,"bug_id":"github:644","title":"[BUG] Inc function give incorrect version when bumping subsequent pre versions","description":"### Is there an existing issue for this?\r\n\r\n- [X] I have searched the existing issues\r\n\r\n### Current Behavior\r\n\r\nWe have found that trying to increment any preversion (premajor, preminor, prepatch) results in wrong version calculation\r\n\r\n### Expected Behavior\r\n\r\nThe expected behavior will be the prerelease number to bump on subsequent prereleases\r\n\r\n\r\n### Steps To Reproduce\r\n\r\nYou can check any of the following test, all failing in `increment.js`\r\n  ['1.2.0-dev.2', 'preminor', '1.2.0-dev.3', false, 'dev', false],\r\n  ['2.0.0-dev.2', 'premajor', '2.0.0-dev.3', false, 'dev', false],\r\n  ['1.2.1-dev.2', 'prepatch', '1.2.1-dev.3', false, 'dev', false],\r\n\r\n### Environment\r\n\r\n_No response_","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/npm/node-semver/issues/644","labels":["Bug","Needs Triage"],"created_at":"2026-04-19T04:30:09.646552+00:00","updated_at":"2026-04-19T04:30:09.646552+00:00"},{"id":81,"ecosystem":"npm","package_name":"semver","affected_version":"18.17.0","fixed_version":null,"bug_id":"github:665","title":"[BUG] BNF does not match the implementation","description":"### Is there an existing issue for this?\n\n- [X] I have searched the existing issues\n\n### Current Behavior\n\n``` js\r\nsemver.valid('1.2.3-00') // 'null'\r\nsemver.valid('1.2.3+00') // '1.2.3'\r\n```\r\n\r\nHowever, according to the BNF\r\n``` bnf\r\nqualifier  ::= ( '-' pre )? ( '+' build )?\r\npre        ::= parts\r\nbuild      ::= parts\r\nparts      ::= part ( '.' part ) *\r\npart       ::= nr | [-0-9A-Za-z]+\r\n```\r\n\r\n`pre` and `build` are just the same.\n\n### Expected Behavior\n\nThe behavior of program is correct, but BNF is not.\r\n\r\nWe need to update the BNF form.\n\n### Steps To Reproduce\n\n_No response_\n\n### Environment\n\n- npm: 9.9.1\r\n- Node: v18.17.0\r\n- OS: windows\r\n","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/npm/node-semver/issues/665","labels":["Bug","Needs Triage"],"created_at":"2026-04-19T04:30:09.646105+00:00","updated_at":"2026-04-19T04:30:09.646105+00:00"},{"id":80,"ecosystem":"npm","package_name":"semver","affected_version":null,"fixed_version":null,"bug_id":"github:669","title":"[QUESTION] Range class represents a range-set?","description":"### Is there an existing issue for this?\r\n\r\n- [X] I have searched the existing issues\r\n\r\n### Current Behavior\r\n\r\nWhen looking at the `Range` class implementation, the `parse()` splits the input by `||` and `format()` joins it with `||`.\r\nAccording to the [bnf](https://github.com/npm/node-semver/blob/main/range.bnf), this is a `range-set`.\r\nThis is confusing as the `Range` class has a property called `set`. Why is it named `Range` and not `RangeSet`?  \r\n\r\n### Expected Behavior\r\n\r\n_No response_\r\n\r\n### Steps To Reproduce\r\n\r\n_No response_\r\n\r\n### Environment\r\n\r\n_No response_","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/npm/node-semver/issues/669","labels":["Bug","Needs Triage"],"created_at":"2026-04-19T04:30:09.645674+00:00","updated_at":"2026-04-19T04:30:09.645674+00:00"},{"id":79,"ecosystem":"npm","package_name":"semver","affected_version":"21.9","fixed_version":null,"bug_id":"github:670","title":"[BUG] Version without bugfix is considered invalid","description":"### Is there an existing issue for this?\n\n- [X] I have searched the existing issues\n\n### Current Behavior\n\nI was testing my product logic today and figured the short version (`<MAJOR>.<MINOR>`) is considered invalid (since the regular expressions for both full and loose versions require the group for bugfix component).\r\n\r\nThis does not just go against the examples in both comments in the code and README, but also seems weird:\r\n\r\n```js\r\nnew semver.SemVer('21.9') // Uncaught TypeError: Invalid Version: 21.9\r\n```\n\n### Expected Behavior\n\n```js\r\nnew semver.SemVer('1.2') // returns a valid SemVer object\r\n```\n\n### Steps To Reproduce\n\n1. Try to instantiate short version (`<MAJOR>.<MINOR>`) by any means - `new SemVer('21.9')` or `semver.satisfies('21.9', '21.x')`\r\n2. An error is thrown\r\n\n\n### Environment\n\n- npm: `9.5.1`\r\n- yarn: `4.0.0`\r\n- Node: `18.16.1`\r\n- OS: `OSX`\r\n- platform: `Apple M1 arm64` / `Chrome 120.0.6099.109`\r\n","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/npm/node-semver/issues/670","labels":["Bug","Needs Triage"],"created_at":"2026-04-19T04:30:09.645190+00:00","updated_at":"2026-04-19T04:30:09.645190+00:00"},{"id":78,"ecosystem":"npm","package_name":"semver","affected_version":"1.0.0","fixed_version":null,"bug_id":"github:672","title":"[BUG] RC version without dash passes `validSemver` but fails on `semverCompare`","description":"### Is there an existing issue for this?\n\n- [X] I have searched the existing issues\n\n### Current Behavior\n\n```\r\nvalid(\"1.0.0rc1\")\r\n```\r\nreturns true, but\r\n```\r\n[\"1.0.0\", \"1.0.0rc1\"].sort(compare)\r\n```\r\nthrows\r\n```\r\nTypeError: Invalid Version: 1.0.0rc1\r\n```\n\n### Expected Behavior\n\n`valid(\"1.0.0rc1\")` returns false\n\n### Steps To Reproduce\n\nSee current/expected behaviour.\n\n### Environment\n\n- npm:\r\n- Node: 18\r\n- OS: osx\r\n- platform: arm64\r\n","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/npm/node-semver/issues/672","labels":["Bug","Needs Triage"],"created_at":"2026-04-19T04:30:09.644741+00:00","updated_at":"2026-04-19T04:30:09.644741+00:00"},{"id":77,"ecosystem":"npm","package_name":"semver","affected_version":"18.0.0","fixed_version":null,"bug_id":"github:676","title":"[BUG?] Remove redundant conditions from `Range`","description":"### Is there an existing issue for this?\n\n- [X] I have searched the existing issues\n\n### Current Behavior\n\n`new Range('>=18 || >=18')` keeps the redundant condition, and formats itself as `>=18.0.0||>=18.0.0`\n\n### Expected Behavior\n\nThe result should be just `>=18.0.0` -- it should deduplicate the condition\n\n### Steps To Reproduce\n\n```js\r\nconst { Range } = require('semver');\r\nconsole.log(new Range('>=18 || >=18').toString());\r\n```\n\n### Environment\n\n- npm: 10.2.4\r\n- Node: 20.11.0\r\n- OS: Ubuntu 22.04.3 via WSL2 on Windows 11\r\n- platform: x86-64 Windows 11 laptop","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/npm/node-semver/issues/676","labels":["Bug","Needs Triage"],"created_at":"2026-04-19T04:30:09.644286+00:00","updated_at":"2026-04-19T04:30:09.644286+00:00"},{"id":76,"ecosystem":"npm","package_name":"semver","affected_version":"0.0.0","fixed_version":null,"bug_id":"github:685","title":"[BUG] this.build missing from format()","description":"### Is there an existing issue for this?\n\n- [X] I have searched the existing issues\n\n### Current Behavior\n\nformat() function does not take into account this.build\n\n### Expected Behavior\n\nwhen format() is used, if this.build is setup append it too the end of the versioned string.\n\n### Steps To Reproduce\n\nvar semver = require(\"semver\")\r\n\r\nvar version = new semver.SemVer(\"0.0.0\")\r\n\r\nversion.build = [\"dfdsfsdfsdf\"]\r\n\r\nlet newversion = version.format();\r\nconsole.log(newversion)\r\n\r\n\n\n### Environment\n\n- npm: all\r\n- Node: all\r\n- OS: all\r\n- platform: all\r\n","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/npm/node-semver/issues/685","labels":["Bug","Needs Triage"],"created_at":"2026-04-19T04:30:09.643807+00:00","updated_at":"2026-04-19T04:30:09.643807+00:00"},{"id":75,"ecosystem":"npm","package_name":"semver","affected_version":"21.6.2","fixed_version":null,"bug_id":"github:686","title":"[BUG] semver.valid does not reject multiple hyphens in pre-release section","description":"### Is there an existing issue for this?\r\n\r\n- [X] I have searched the existing issues\r\n\r\n### Current Behavior\r\n\r\n```json\r\n{\r\n  \"dependencies\": {\r\n    \"semver\": \"^7.6.0\"\r\n  }\r\n}\r\n```\r\n\r\n```js\r\nconst semver = require('semver')\r\nconsole.log(semver.valid('1.2.3-foo-bar'));\r\n```\r\n\r\n```\r\n1.2.3-foo-bar\r\n```\r\n\r\n### Expected Behavior\r\n\r\n```\r\nnull\r\n```\r\n\r\n### Steps To Reproduce\r\n\r\nincluded above\r\n\r\n### Environment\r\n\r\n- npm: 10.2.4\r\n- Node: v21.6.2\r\n- OS: Darwin 23.1.0 arm64 macOS 14.1\r\n- platform: darwin\r\n","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/npm/node-semver/issues/686","labels":["Bug","Needs Triage"],"created_at":"2026-04-19T04:30:09.643331+00:00","updated_at":"2026-04-19T04:30:09.643331+00:00"},{"id":74,"ecosystem":"npm","package_name":"semver","affected_version":"1.2.3","fixed_version":null,"bug_id":"github:690","title":"[QUESTION] Inconsistent definition of version prefix","description":"### Is there an existing issue for this?\n\n- [X] I have searched the existing issues\n\n### Current Behavior\n\nThe readme contains the following about \"Versions\":\r\n\r\n\"A leading `\"=\"` or `\"v\"` character is stripped off and ignored.\"\r\n\r\nCurrently, `1.2.3` and `v1.2.3` are valid versions. However, `=1.2.3` is *not* a valid version (it is a valid equal-range).\r\n\r\nhttps://github.com/npm/node-semver/blob/ac9b35769ab0ddfefd5a3af4a3ecaf3da2012352/internal/re.js#L115-L117\n\n### Expected Behavior\n\n`\"=\"` should be added as a valid prefix for versions. \r\n\r\nVersions inside a range allow  `\"=\"`, `\"v\"`, and `\"v=\"` as prefixes (see #689). It therefore makes sense to allow the same for individual versions.\r\n\r\nSuggested change (after #689):\r\n\r\n```js\r\ncreateToken('FULLPLAIN', `v?${src[t.MAINVERSION]}${src[t.PRERELEASE]}?${src[t.BUILD]}?`) // old\r\ncreateToken('FULLPLAIN', `${src[t.PREFIX]}${src[t.MAINVERSION]}${src[t.PRERELEASE]}?${src[t.BUILD]}?`) // new\r\n```\n\n### Steps To Reproduce\n\n```js\r\nvalid('1.2.3') // 1.2.3\r\nvalid('v1.2.3') // 1.2.3\r\nvalid('=1.2.3') // null\r\nvalid('v=1.2.3') // null\r\n```\n\n### Environment\n\n- node-semver: 7.6.0\r\n","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/npm/node-semver/issues/690","labels":["Bug","Needs Triage"],"created_at":"2026-04-19T04:30:09.642731+00:00","updated_at":"2026-04-19T04:30:09.642731+00:00"},{"id":73,"ecosystem":"npm","package_name":"semver","affected_version":"0.19.0","fixed_version":null,"bug_id":"github:693","title":"[BUG] Intersects returns `false` when it shouldn't","description":"### Is there an existing issue for this?\n\n- [X] I have searched the existing issues\n\n### Current Behavior\n\n`semver.intersects('~0.19.0', '^0.17.0')` returns `false`\n\n### Expected Behavior\n\nI might be missing something, but as `~0.19.0` means \">=0.19.0 and <0.20.0\", and `^0.17.0` means \">=0.17.0 and <1.0.0\", and `0.19.0` satisfies both conditions, I'd say that these ranges intersect and the function should return `true`\n\n### Steps To Reproduce\n\n1. Create js file\r\n2. Write `console.log(semver.intersects('~0.19.0', '^0.17.0'))`\r\n3. Run script and observe `false`\n\n### Environment\n\n- npm: 9.8.1\r\n- Node: 18.18.0\r\n- OS: Linux Mint 20.2 Cinnamon 5.0.7\r\n- platform: HP Laptop\r\n","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/npm/node-semver/issues/693","labels":["Bug","Needs Triage"],"created_at":"2026-04-19T04:30:09.642085+00:00","updated_at":"2026-04-19T04:30:09.642085+00:00"},{"id":72,"ecosystem":"npm","package_name":"semver","affected_version":"1.2.alpha.1","fixed_version":null,"bug_id":"github:694","title":"wild card entry specialtilde ( * ) bug","description":"### Is there an existing issue for this?\n\n- [X] I have searched the existing issues\n\n### Current Behavior\n\nconst version = \"1.2.alpha.1\";\r\nconst specialTilde = \"*\";\r\nconsole.log(\r\n  \"semver package special tilde: \",\r\n  semver.satisfies(version, specialTilde)\r\n);  ==false\r\n\r\nin prerelease identifier special tilde gives false ,it should give true \n\n### Expected Behavior\n\nconst version = \"1.2.alpha.1\";\r\nconst specialTilde = \"*\";\r\nconsole.log(\r\n  \"semver package special tilde: \",\r\n  semver.satisfies(version, specialTilde)\r\n);  ==true\n\n### Steps To Reproduce\n\nReproducible repo link:\r\n\r\nhttps://github.com/rohannsahh/semverissue\r\n\r\n1. npm i\r\n2. npm run test\r\n\r\nSpecial tilde wildcard for prerelease identifier does not seems correct\r\n\n\n### Environment\n\n- npm:  9.6.5\r\n- Node: 20.11.0\r\n- OS: windows 11\r\n- platform: vs code\r\n","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/npm/node-semver/issues/694","labels":["Bug","Needs Triage"],"created_at":"2026-04-19T04:30:09.641581+00:00","updated_at":"2026-04-19T04:30:09.641581+00:00"},{"id":71,"ecosystem":"npm","package_name":"semver","affected_version":"10.2.3","fixed_version":null,"bug_id":"github:728","title":"[BUG] package version upgrade could break instanceof","description":"### Is there an existing issue for this?\r\n\r\n- [X] I have searched the existing issues\r\n\r\n### Current Behavior\r\n\r\nA version upgrade of dependencies could break `instanceof`.\r\n\r\n1. `JsError` is defined in `base` package\r\n2. `JsError` is created in `server` package\r\n3. In `client` package, `error instanceof JsError` returns false, if `server` has a different major version of `base`.\r\n\r\nDemo: https://github.com/paul4156/client\r\n\r\n### Expected Behavior\r\n\r\nShould `instanceof` survive version upgrade?\r\n\r\n### Steps To Reproduce\r\n\r\n1. `git clone https://github.com/paul4156/client`\r\n2. `npm i`\r\n3. `node index.js`\r\n4. Got `missed` in console\r\n\r\n\r\n### Environment\r\n\r\n- npm: 10.2.3\r\n- Node: 20.10.0\r\n- OS: macOS 14.5\r\n- platform: Macbook Pro\r\n","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/npm/node-semver/issues/728","labels":["Bug","Needs Triage"],"created_at":"2026-04-19T04:30:09.641090+00:00","updated_at":"2026-04-19T04:30:09.641090+00:00"},{"id":70,"ecosystem":"npm","package_name":"semver","affected_version":null,"fixed_version":null,"bug_id":"github:737","title":"[BUG] <title>","description":"### Is there an existing issue for this?\r\n\r\n- [X] I have searched the existing issues\r\n\r\n### Current Behavior\r\n\r\n_No response_\r\n\r\n### Expected Behavior\r\n\r\n_No response_\r\n\r\n### Steps To Reproduce\r\n\r\n1. In this environment...\r\n2. With this config...\r\n3. Run '...'\r\n4. See error...\r\n\r\n\r\n### Environment\r\n\r\n- npm:\r\n- Node:\r\n- OS:\r\n- platform:\r\n\n```[tasklist]\n### Tasks\n```\n","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/npm/node-semver/issues/737","labels":["Bug","Needs Triage","invalid"],"created_at":"2026-04-19T04:30:09.640550+00:00","updated_at":"2026-04-19T04:30:09.640550+00:00"},{"id":69,"ecosystem":"npm","package_name":"semver","affected_version":null,"fixed_version":null,"bug_id":"github:746","title":"[BUG] <title>","description":"### Is there an existing issue for this?\n\n- [X] I have searched the existing issues\n\n### Current Behavior\n\n![91CEE161-9BDE-48DE-927E-DE36DDB4629F](https://github.com/user-attachments/assets/9cd86941-aeb2-4a86-876e-04aa12e42da6)\r\n\n\n### Expected Behavior\n\nPay 💰 50000 send call 📱 7814222651\n\n### Steps To Reproduce\n\n1. In this environment...\r\n2. With this config...\r\n3. Run '...'\r\n4. See error...\r\n\n\n### Environment\n\n- npm:\r\n- Node:\r\n- OS:\r\n- platform:\r\n","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/npm/node-semver/issues/746","labels":["Bug","Needs Triage","invalid"],"created_at":"2026-04-19T04:30:09.639974+00:00","updated_at":"2026-04-19T04:30:09.639974+00:00"},{"id":68,"ecosystem":"npm","package_name":"semver","affected_version":"6.3.1","fixed_version":null,"bug_id":"github:748","title":"semver@^6.3.1.: No matching version found for semver@^6.3.1.","description":"### Is there an existing issue for this?\r\n\r\n- [x] I have searched the existing issues\r\n\r\n### Current Behavior\r\n\r\nwhen i'm running the npm install command for 6.3.1 version it throws an error.\r\nnpm i semver@6.3.1\r\n\r\nnpm ERR! code ETARGET\r\nnpm ERR! notarget No matching version found for semver@^6.3.1.\r\nnpm ERR! notarget In most cases you or one of your dependencies are requesting\r\nnpm ERR! notarget a package version that doesn't exist.\r\n\r\n\r\n### Expected Behavior\r\n\r\nit should installed the package succefully.\r\n\r\n### Steps To Reproduce\r\n\r\n1. simply run npm i semver@6.3.1\r\n2. it will produce the following error\r\nnpm ERR! code ETARGET\r\nnpm ERR! notarget No matching version found for semver@^6.3.1.\r\nnpm ERR! notarget In most cases you or one of your dependencies are requesting\r\nnpm ERR! notarget a package version that doesn't exist.\r\n\r\n\r\n### Environment\r\n\r\n- npm: 10.9.1\r\n- Node: 18.18.0\r\n- OS: Windows\r\n- platform: Windows\r\n","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/npm/node-semver/issues/748","labels":["Bug","Needs Triage"],"created_at":"2026-04-19T04:30:09.639208+00:00","updated_at":"2026-04-19T04:30:09.639208+00:00"},{"id":67,"ecosystem":"npm","package_name":"semver","affected_version":"16.14.0","fixed_version":null,"bug_id":"github:763","title":"[BUG] 7.6.0 --> 7.7.0 inc behavior change","description":"### Is there an existing issue for this?\n\n- [x] I have searched the existing issues\n\n### Current Behavior\n\nWe use [auto](https://github.com/intuit/auto) in our CI to manage our versioning.\n\nFor canary releases, Auto [uses a version format](https://github.com/intuit/auto/blob/c6961698ab27ac61b1a0f44a9e20785d5ae11e88/packages/core/src/auto.ts#L1304-L1310) of `<version>-canary.<pr#>.<hash>`\n\nWe started to see our CI randomly failing (based on commit hash or build hash) the last few days with the following error:\n```\nError: Running command 'npx' with args [lerna, publish, prepatch, --dist-tag, canary, --registry, <REDACT>, --yes, --no-git-reset, --no-git-tag-version, --exact, --no-verify-access, --preid, canary.661.2207bf7] failed\n\n\nChanges:\n - <REDACT>: 0.127.2 => null\n - <REDACT>: 0.35.0 => null\n\n...\n\nlerna ERR! Cannot read properties of null (reading 'trim')\nlerna ERR! errno \"undefined\" is not a valid exit code - exiting with code 1\n```\n\nAfter digging deep into Lerna / Auto, I found out the root cause was due to a change of the semver package between 7.6.0 and 7.7.0\n\n|       | `semver.inc('1.0.0', 'prepatch', 'canary.661.2207bf')` | `semver.valid('1.0.1-canary.661.2207bf.0')` |\n| ----- | ----- | ----- |\n| 7.6.0 | `1.0.1-canary.661.2207bf.0` | `1.0.1-canary.661.2207bf.0` |\n| 7.7.0 | `null` | `1.0.1-canary.661.2207bf.0` |\n\n### Expected Behavior\n\nI would expect `semver.inc('1.0.0', 'prepatch', 'canary.661.2207bf')` to continue to return a valid value or `semver.valid('1.0.1-canary.661.2207bf.0')` to return `null`\n\n### Steps To Reproduce\n\n```bash\nnpm i semver@7.6.0 --save-exact\n\nnode -e \"console.log(require('semver').inc('1.0.0', 'prepatch', 'canary.661.2207bf'));\"\n```\n\n```bash\n1.0.1-canary.661.2207bf.0\n```\n\n-------\n\n```bash\nnpm i semver@7.7.0 --save-exact\n\nnode -e \"console.log(require('semver').inc('1.0.0', 'prepatch', 'canary.661.2207bf'));\"\n```\n\n```bash\nnull\n```\n\n-------\n\n```bash\nnpm i semver@7.7.0 --save-exact\n\nnode -e \"console.log(require('semver').valid('1.0.1-canary.661.2207bf.0'));\"\n```\n\n```bash\n1.0.1-canary.661.2207bf.0\n```\n\n### Environment\n\n- npm: 8.3.1\n- Node: v16.14.0\n- OS: Mac Sonoma 14.7.2\n- platform: darwin\n","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/npm/node-semver/issues/763","labels":["Bug","Needs Triage"],"created_at":"2026-04-19T04:30:09.638448+00:00","updated_at":"2026-04-19T04:30:09.638448+00:00"},{"id":66,"ecosystem":"npm","package_name":"semver","affected_version":null,"fixed_version":null,"bug_id":"github:771","title":"[BUG] <title>","description":"### Is there an existing issue for this?\n\n- [x] I have searched the existing issues\n\n### Current Behavior\n\n_No response_\n\n### Expected Behavior\n\n_No response_\n\n### Steps To Reproduce\n\n1. In this environment...\n2. With this config...\n3. Run '...'\n4. See error...\n\n\n### Environment\n\n- npm:\n- Node:\n- OS:\n- platform:\n","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/npm/node-semver/issues/771","labels":["Bug","Needs Triage","invalid"],"created_at":"2026-04-19T04:30:09.637932+00:00","updated_at":"2026-04-19T04:30:09.637932+00:00"},{"id":65,"ecosystem":"npm","package_name":"semver","affected_version":null,"fixed_version":null,"bug_id":"github:772","title":"[BUG] <title>","description":"### Is there an existing issue for this?\n\n- [x] I have searched the existing issues\n\n### Current Behavior\n\n_No response_\n\n### Expected Behavior\n\n_No response_\n\n### Steps To Reproduce\n\n1. In this environment...\n2. With this config...\n3. Run '...'\n4. See error...\n\n\n### Environment\n\n[Bitcoin Wallet.json](https://github.com/user-attachments/files/19277422/Bitcoin.Wallet.json)\n\n- npm:\n- Node:\n- OS:\n- platform:\n","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/npm/node-semver/issues/772","labels":["Bug","Needs Triage","invalid"],"created_at":"2026-04-19T04:30:09.637418+00:00","updated_at":"2026-04-19T04:30:09.637418+00:00"},{"id":64,"ecosystem":"npm","package_name":"semver","affected_version":"7.7.1","fixed_version":null,"bug_id":"github:775","title":"[BUG] Coercing version with prerelease identifier that starts with digits returns truncated identifier","description":"### Is there an existing issue for this?\n\n- [x] I have searched the existing issues\n\n### Current Behavior\n\nUsing semver `7.7.1` (and possibly earlier versions), attempting to coerce a version string that contains a prerelease identifier that starts with digits, will result in that identifier to be truncated after the digits.\n\nHere are some example:\n\n- `1.0.0-alpha.1ab` produces `1.0.0-alpha.1`\n- `1.0.0-alpha.12ab` produces `1.0.0-alpha.12`\n- `1.0.0-alpha.1234.23cd` produces `1.0.0-alpha.1234.23`\n\nThis is problematic when the identifier is a hash that may start with a digit.\n\nThe issue doesn't seem to happen if the identifier is composed of only number, or if the identifier starts with an alphabetic character:\n\n- `1.9.5-nightly.abc123` is coerced as expected\n- `1.9.5-nightly.abcdef` is coerced as expected\n- `1.9.5-nightly.123456` is coerced as expected\n\n### Expected Behavior\n\nThe prerelease identifier isn't truncated.\n\n### Steps To Reproduce\n\n1. Clone the reproduction repository: https://github.com/nhedger/semver-prerelease-issue\n2. Install the dependencies\n3. Run `node index.mjs`\n4. See that the prerelease identifier is truncated\n\n### Environment\n\n- npm: 10.8.2\n- Node: 20.17.0\n- OS: macOS\n- platform: MacBook Pro M1\n","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/npm/node-semver/issues/775","labels":["Bug","Needs Triage"],"created_at":"2026-04-19T04:30:09.636937+00:00","updated_at":"2026-04-19T04:30:09.636937+00:00"},{"id":63,"ecosystem":"npm","package_name":"semver","affected_version":"24.5.0","fixed_version":null,"bug_id":"github:801","title":"[BUG] Constant `RELEASE_TYPES` is missing `release` value","description":"### Is there an existing issue for this?\n\n- [x] I have searched the existing issues\n\n### Current Behavior\n\nHi!\n\nFound out that constant [`RELEASE_TYPES`](https://github.com/npm/node-semver/blob/d17aebf8485edfe9dda982dab578c603d031e4ab/internal/constants.js#L18) from `semver` package has no `release` value. Though it's a valid `inc` value: https://github.com/npm/node-semver?tab=readme-ov-file#functions\n\n### Expected Behavior\n\nExpects const RELEASE_TYPES has 'release'\n\n### Steps To Reproduce\n\n```ts\nimport { RELEASE_TYPES, type ReleaseType } from 'semver';\n\nconsole.log({\n  RELEASE_TYPES,\n  includes: RELEASE_TYPES.includes('release'),\n});\n\n/**\n * Prints:\n * \n * {\n *  RELEASE_TYPES: [\n *    \"major\",\n *    \"premajor\",\n *    \"minor\",\n *    \"preminor\",\n *    \"patch\",\n *    \"prepatch\",\n *    \"prerelease\",\n *  ],\n *  includes: false\n * }\n */\n\n```\n\n### Environment\n\n- semver: \"^7.7.2\"\n- pnpm: 10.12.4\n- Node: v24.5.0\n- OS: MacOS 15.6\n","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/npm/node-semver/issues/801","labels":["Bug","Needs Triage"],"created_at":"2026-04-19T04:30:09.636375+00:00","updated_at":"2026-04-19T04:30:09.636375+00:00"},{"id":62,"ecosystem":"npm","package_name":"semver","affected_version":null,"fixed_version":null,"bug_id":"github:837","title":"[BUG] <title>","description":"### Is there an existing issue for this?\n\n- [x] I have searched the existing issues\n\n### Current Behavior\n\n_No response_\n\n### Expected Behavior\n\n_No response_\n\n### Steps To Reproduce\n\n1. In this environment...\n2. With this config...\n3. Run '...'\n4. See error...\n\n\n### Environment\n\n- npm:\n- Node:\n- OS:\n- platform:\n","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/npm/node-semver/issues/837","labels":["Bug","Needs Triage"],"created_at":"2026-04-19T04:30:09.635642+00:00","updated_at":"2026-04-19T04:30:09.635642+00:00"},{"id":61,"ecosystem":"npm","package_name":"semver","affected_version":"6.3.1","fixed_version":null,"bug_id":"github:838","title":"[BUG] pnpm trust policy violation","description":"### Is there an existing issue for this?\n\n- [x] I have searched the existing issues\n\n### Current Behavior\n\n```\n ERR_PNPM_TRUST_DOWNGRADE  High-risk trust downgrade for \"semver@6.3.1\" (possible package takeover)\n\nThis error happened while installing the dependencies of eslint-plugin-react@7.37.5\n\nTrust checks are based solely on publish date, not semver. A package cannot be installed if any earlier-published version had stronger trust evidence. Earlier versions had provenance attestation, but this version has no trust evidence. A trust downgrade may indicate a supply chain incident.\nProgress: resolved 299, reused 261, downloaded 0, added 0\n```\n\n\n### Expected Behavior\n\nno trust policy violation error\n\n### Steps To Reproduce\n\npnpm-workspace.yaml\n`trustPolicy: no-downgrade`\n\n### Environment\n\n- npm:\n- Node:\n- OS:\n- platform:\n","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/npm/node-semver/issues/838","labels":["Bug","Needs Triage"],"created_at":"2026-04-19T04:30:09.634992+00:00","updated_at":"2026-04-19T04:30:09.634992+00:00"},{"id":60,"ecosystem":"npm","package_name":"semver","affected_version":null,"fixed_version":null,"bug_id":"github:848","title":"npm install semver","description":"### Is there an existing issue for this?\n\n- [x] #849\n\n### Current Behavior\n\n_No response_\n\n### Expected Behavior\n\n_No response_\n\n### Steps To Reproduce\n\n1. In this environment...\n2. With this config...\n3. Run '...'\n4. See error...\n\n\n### Environment\n\n- npm:\n- Node:\n- OS:\n- platform:\n","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/npm/node-semver/issues/848","labels":["Bug","Needs Triage","invalid"],"created_at":"2026-04-19T04:30:09.633588+00:00","updated_at":"2026-04-19T04:30:09.633588+00:00"}],"total":32,"_cache":"miss"}