Correct lower limit for CVE-2022-25927

[timtheguy-bs]

This pull request updates the lower bound of atOrAbove to 0.7.30 for CVE-2022-25927.

Rationale:

Currently, all versions of ua-parser-js are flagged for CVE-2022-25927 for any version before 0.7.33. This is the correct behavior if you only consider the GHSA (GHSA-fhg7-m89q-25r3), where we see:

Affected Versions:
All versions of the library prior to version 0.7.33 / 1.0.33.

However, according to the entry in NVD (https://nvd.nist.gov/vuln/detail/cve-2022-25927):

Versions of the package ua-parser-js from 0.7.30 and before 0.7.33, from 0.8.1 and before 1.0.33 are vulnerable to Regular Expression Denial of Service (ReDoS) via the trim() function.

I investigated the discrepancy and can see that in version 0.7.30 of ua-parser-js, the code vulnerable to ReDoS was introduced: faisalman/ua-parser-js@336ce2b

The fix was committed in version 0.7.33: faisalman/ua-parser-js@a6140a1

Therefore, I believe we can confidently use the version range described in the NVD advisory.

[eoftedal]

Thanks! Did you also submit a PR for GHSA-fhg7-m89q-25r3 ?

[timtheguy-bs]

I've updated my commit to be Verified, and also submitted a PR for the GHSA: github/advisory-database#6325. Good call!