semver
Safeguard articles tagged "semver" — guides, analysis, and best practices for software supply chain and application security.
5 articles
semver (npm) Security Guide (2026)
semver is the version-parsing library at the heart of npm itself — and a single ReDoS CVE in its range parser turned this universal dependency into one of the most widely flagged advisories in the JavaScript ecosystem.
CVE-2022-25883: ReDoS in semver package
CVE-2022-25883 is a ReDoS flaw in the widely used semver npm package. Here's what versions are affected, its severity, and how to remediate it.
What Is Semantic Versioning?
Semantic versioning encodes the meaning of a release into its version number. Here is how MAJOR.MINOR.PATCH works and why it drives both dependency resolution and security triage.
How Snyk decides whether an automatic PR proposes a minor...
A mechanical walkthrough of the semver logic behind Snyk's automatic fix PRs — how it picks target versions and decides between patch, minor, and major bumps.
The Security Implications of Semantic Versioning
Semver promises predictability in dependency management. In practice, it creates a trust model with serious security implications that most developers do not consider.