[Bug]: Jest 29.60 still brings in old version of semver #14299
Closed as not planned
Description
Version
29.6.0
Steps to reproduce
- Install Jest 29.6.0 in your project
- Run
yarn why semver -R - Observe that semver 6.3.0 is brought in, a version with known vulnerabilities
jest@npm:29.6.0 [b1f28] (via npm:29.6.0 [b1f28])
│ ├─ @jest/core@npm:29.6.0 [a4482] (via npm:^29.6.0 [a4482])
│ │ ├─ @jest/transform@npm:29.6.0 (via npm:^29.6.0)
│ │ │ ├─ @babel/core@npm:7.18.10 (via npm:^7.11.6)
│ │ │ │ ├─ semver@npm:6.3.0 (via npm:^6.3.0)
│ │ │ │ └─ @babel/helper-compilation-targets@npm:7.18.9 [4dfa3] (via npm:^7.18.9 [4dfa3])
│ │ │ │ └─ semver@npm:6.3.0 (via npm:^6.3.0)
Expected behavior
I expect Jest to bring in semver version 7.3.5.
Actual behavior
Semver version 6.3.0 is included in my project
Additional context
I think this might be happening because an old version of another library is being used, perhaps babel
Environment
System:
OS: macOS 13.4.1
CPU: (12) x64 Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz
Binaries:
Node: 18.15.0 - ~/.nvm/versions/node/v18.15.0/bin/node
Yarn: 3.4.1 - ~/.nvm/versions/node/v18.15.0/bin/yarn
npm: 9.5.0 - ~/.nvm/versions/node/v18.15.0/bin/npm
Activity