Use of semver package in pg module

[jilvin]

Current version of semver is 7.1.3. The package.json of pg module depends on semver version 4.3.2 . Is this intentional?

A license field update was carried out in the package semver after 4.3.2 .
npm/node-semver@70d7835

Users of pg module misses out on this critical update in semver package.

[charmander]

Aren’t the BSD and ISC licenses equivalent in permissions? Not sure how that’s a critical update.

[jilvin]

IANAL

The issue was that license mentioned in the package.json was BSD and not BSD 3 Clause(new). The original BSD has an advertising clause. The commit referred updated both license and the licence field within package.json .

[kwasimensah]

spdx-expression-parse also chokes on the string "BSD" because that's not a valid identifier. See jslicense/spdx-expression-parse.js#11

If you use LicenseWebpackPlugin and use spdx-satisfies as suggested in their documentation pg's dependency on this old version of semver will cause the plugin to choke.

[brianc]

This code is so old it can probably be safely removed, honestly. It was added when I was adding breaking changes to pg-native relatively frequently. I'll see about just deleting it & managing it better w/ an optionalDependencies field in package.json or something.

[SirAndrii]

Hi, Semver 4.3.2 is marked as a High level vulnerability:
https://security.snyk.io/package/npm/semver/4.3.2