semver is vulnerable to regular expression denial of service (ReDoS) when extremely long version strings are parsed: https://nodesecurity.io/advisories/semver_redos Upstream fix: https://github.com/npm/npm/commit/0dc68757cffd5397c280bc71365d106523a5a052
Created nodejs-semver tracking bugs for this issue: Affects: fedora-all [bug 1209498] Affects: epel-all [bug 1209499]
External References: https://nodesecurity.io/advisories/semver_redos
CVE assignment: http://seclists.org/oss-sec/2016/q2/122