Upgrade grunt-contrib-less to 2.1.0 and semver to 5.7.2 to fix CVEs by Copilot · Pull Request #942 · opentok/opentok-rtc

Copilot · 2026-03-17T22:01:15Z

Addresses two known vulnerabilities in transitive dependencies of grunt-contrib-less@2.0.0:

CVE	Severity	Vulnerable Dep	Fixed Version
CVE-2021-43138	High (7.8)	async@2.6.3	async@3.2.6 via grunt-contrib-less@2.1.0
CVE-2022-25883	Medium (5.3)	semver@5.7.1	semver@5.7.2

Changes

package.json: grunt-contrib-less ^2.0.0 → ^2.1.0
package-lock.json: Updated locked versions for grunt-contrib-less (2.1.0), async (3.2.6), chalk (4.1.2), semver (5.7.2), and their transitive deps

Original prompt

This section details on the original issue you should resolve

<issue_title>grunt-contrib-less-2.0.0.tgz: 2 vulnerabilities (highest severity is: 7.8) reachable</issue_title>
<issue_description>

Vulnerable Library - grunt-contrib-less-2.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Found in HEAD commit: 7c898c0839317ea7989d15935972aa4dc520b907

Vulnerabilities

Vulnerability	Severity	CVSS	Exploit Maturity	EPSS	Dependency	Type	Fixed in (grunt-contrib-less version)	Fix PR available	Reachability
CVE-2022-25883	Medium	5.3	Proof of concept	0.6%	semver-5.7.1.tgz	Transitive	N/A*	❌	Reachable
CVE-2021-43138	High	7.8	Not Defined	0.70000005%	async-2.6.3.tgz	Transitive	2.1.0	✅	Unreachable

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-25883

Vulnerable Library - semver-5.7.1.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-5.7.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

grunt-contrib-less-2.0.0.tgz (Root Library)
- less-3.12.2.tgz
  - make-dir-2.1.0.tgz
    - ❌ semver-5.7.1.tgz (Vulnerable Library)

Found in HEAD commit: 7c898c0839317ea7989d15935972aa4dc520b907

Found in base branches: develop, master

Reachability Analysis

This vulnerability is potentially reachable

semver-5.7.1/semver.js (Application)
  -> jsonwebtoken-8.5.1/lib/psSupported.js (Extension)
   -> jsonwebtoken-8.5.1/sign.js (Extension)
    -> jsonwebtoken-8.5.1/index.js (Extension)
     -> opentok-2.10.0/lib/generateJwt.js (Extension)
      -> opentok-2.10.0/lib/opentok.js (Extension)
       -> ❌ opentok-rtc-5.0.1/test/mocks/mock_opentok.js (Vulnerable Component)

Vulnerability Details

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2023-06-21

URL: CVE-2022-25883

Threat Assessment

Exploit Maturity: Proof of concept

EPSS: 0.6%

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-c2qf-rxjj-qqgw

Release Date: 2023-06-21

Fix Resolution: semver - 5.7.2,6.3.1,7.5.2;org.webjars.npm:semver:7.5.2

<...

Fixes grunt-contrib-less-2.0.0.tgz: 2 vulnerabilities (highest severity is: 7.8) unreachable #885

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

…21-43138 and CVE-2022-25883 Co-authored-by: VZaphod <210490533+VZaphod@users.noreply.github.com>

Initial plan

321feda

Copilot AI assigned Copilot and VZaphod Mar 17, 2026

Copilot started work on behalf of VZaphod March 17, 2026 22:01 View session

Upgrade grunt-contrib-less to 2.1.0 and semver to 5.7.2 to fix CVE-20…

b85e4bf

…21-43138 and CVE-2022-25883 Co-authored-by: VZaphod <210490533+VZaphod@users.noreply.github.com>

Copilot AI changed the title ~~[WIP] Fix vulnerabilities in grunt-contrib-less 2.0.0~~ Upgrade grunt-contrib-less to 2.1.0 and semver to 5.7.2 to fix CVEs Mar 17, 2026

Copilot AI requested a review from VZaphod March 17, 2026 22:07

Copilot finished work on behalf of VZaphod March 17, 2026 22:07

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Upgrade grunt-contrib-less to 2.1.0 and semver to 5.7.2 to fix CVEs#942

Upgrade grunt-contrib-less to 2.1.0 and semver to 5.7.2 to fix CVEs#942
Copilot wants to merge 2 commits into
masterfrom
copilot/fix-vulnerabilities-grunt-contrib-less

Copilot AI commented Mar 17, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

Copilot AI commented Mar 17, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Changes

Vulnerabilities

Details

Vulnerable Library - semver-5.7.1.tgz

Reachability Analysis

Vulnerability Details

Threat Assessment

CVSS 3 Score Details (5.3)

Suggested Fix

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Copilot AI commented Mar 17, 2026 •

edited

Loading