I'm facing security vulnerabilities in my npm audit report, specifically related to semver (versions 7.0.0 - 7.5.1) and expo@44.0.6, both rated as moderate severity.
Here are the details from the npm audit report:
audit report:
semver 7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via npm audit fix --force
Will install expo@44.0.6, which is a breaking change
node_modules/@expo/image-utils/node_modules/semver
@expo/image-utils >=0.3.10-alpha.0
Depends on vulnerable versions of semver
node_modules/@expo/image-utils
@expo/prebuild-config *
Depends on vulnerable versions of @expo/image-utils
node_modules/@expo/prebuild-config
@expo/cli >=0.1.0
Depends on vulnerable versions of @expo/prebuild-config
node_modules/@expo/cli
expo >=45.0.0-beta.1
Depends on vulnerable versions of @expo/cli
node_modules/expo
5 moderate severity vulnerabilities
I've already tried running "npm audit fix --force," but it seems to introduce more issues than it resolves. After that command, I end up with 7 moderate and even 9 high severity vulnerabilities.
I'm seeking guidance on how to resolve these vulnerabilities without upgrading to expo@49.0.4. I prefer to keep expo@44.0.6 if possible, as updating to expo@49.0.4 might cause other compatibility issues.
Additionally, I suspect that some packages may be interdependent, and updating one might create further problems. Should I consider downgrading certain packages to a version where the vulnerabilities are not present?
Any help or suggestions would be greatly appreciated. Thank you in advance for your support!
