Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
semver-parser
Advanced tools
Parse, verify, compare SemVer.
npm install semver-parser
APIs can be used either synchronously or asynchronously. Async function returns Promise which resolves with the result.
sync:
import { compareSemVer, isValidSemVer, parseSemVer } from 'semver-parser';
async:
import { promises } from 'semver-parser';
const { compareSemVer, isValidSemVer, parseSemVer } = promises;
NOTE: Is "v1.2.3" a semantic version?
Is "v1.2.3" a semantic version?
No, "v1.2.3" is not a semantic version. However, prefixing a semantic version with a "v" is a common way (in English) to indicate it is a version number.
For ease of use, this parser supports "v" prefixed string.
If you do not want to accept "v" prefix, set strict
param to true
.
Parses version string.
Determine whether the given argument is a valid SemVer string.
Compare versions in SemVer format.
<valid semver> ::= <version core>
| <version core> "-" <pre-release>
| <version core> "+" <build>
| <version core> "-" <pre-release> "+" <build>
(?:0|[1-9]\d*)(?:\.(?:0|[1-9]\d*)){2}(?:-(?:0|[1-9]\d*|\d*[A-Za-z-][\dA-Za-z-]*)(?:\.(?:0|[1-9]\d*|\d*[A-Za-z-][\dA-Za-z-]*))*)?(?:\+(?:\d*[A-Za-z-][\dA-Za-z-]*|\d+)(?:\.(?:\d*[A-Za-z-][\dA-Za-z-]*|\d+))*)?
<version core> ::= <major> "." <minor> "." <patch>
(?:0|[1-9]\d*)(?:\.(?:0|[1-9]\d*)){2}
<major> ::= <numeric identifier>
0|[1-9]\d*
<minor> ::= <numeric identifier>
0|[1-9]\d*
<patch> ::= <numeric identifier>
0|[1-9]\d*
<pre-release> ::= <dot-separated pre-release identifiers>
(?:0|[1-9]\d*|\d*[A-Za-z-][\dA-Za-z-]*)(?:\.(?:0|[1-9]\d*|\d*[A-Za-z-][\dA-Za-z-]*))*
<dot-separated pre-release identifiers> ::= <pre-release identifier>
| <pre-release identifier> "." <dot-separated pre-release identifiers>
(?:0|[1-9]\d*|\d*[A-Za-z-][\dA-Za-z-]*)(?:\.(?:0|[1-9]\d*|\d*[A-Za-z-][\dA-Za-z-]*))*
<build> ::= <dot-separated build identifiers>
(?:\d*[A-Za-z-][\dA-Za-z-]*|\d+)(?:\.(?:\d*[A-Za-z-][\dA-Za-z-]*|\d+))*
<dot-separated build identifiers> ::= <build identifier>
| <build identifier> "." <dot-separated build identifiers>
(?:\d*[A-Za-z-][\dA-Za-z-]*|\d+)(?:\.(?:\d*[A-Za-z-][\dA-Za-z-]*|\d+))*
<pre-release identifier> ::= <alphanumeric identifier>
| <numeric identifier>
0|[1-9]\d*|\d*[A-Za-z-][\dA-Za-z-]*
<build identifier> ::= <alphanumeric identifier>
| <digits>
\d*[A-Za-z-][\dA-Za-z-]*|\d+
<alphanumeric identifier> ::= <non-digit>
| <non-digit> <identifier characters>
| <identifier characters> <non-digit>
| <identifier characters> <non-digit> <identifier characters>
[\dA-Za-z-]*[A-Za-z-][\dA-Za-z-]*
optimized:
\d*[A-Za-z-][\dA-Za-z-]*
<numeric identifier> ::= "0"
| <positive digit>
| <positive digit> <digits>
0|[1-9]\d*
<identifier characters> ::= <identifier character>
| <identifier character> <identifier characters>
[\dA-Za-z-]+
<identifier character> ::= <digit>
| <non-digit>
[\dA-Za-z-]
<non-digit> ::= <letter>
| "-"
[A-Za-z-]
<digits> ::= <digit>
| <digit> <digits>
\d+
<digit> ::= "0"
| <positive digit>
\d
<positive digit> ::= "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9"
[1-9]
<letter> ::= "A" | "B" | "C" | "D" | "E" | "F" | "G" | "H" | "I" | "J"
| "K" | "L" | "M" | "N" | "O" | "P" | "Q" | "R" | "S" | "T"
| "U" | "V" | "W" | "X" | "Y" | "Z" | "a" | "b" | "c" | "d"
| "e" | "f" | "g" | "h" | "i" | "j" | "k" | "l" | "m" | "n"
| "o" | "p" | "q" | "r" | "s" | "t" | "u" | "v" | "w" | "x"
| "y" | "z"
[A-Za-z]
FAQs
SemVer parser. parse, verify, compare SemVer.
The npm package semver-parser receives a total of 4,714 weekly downloads. As such, semver-parser popularity was classified as popular.
We found that semver-parser demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.