update semver npm dependency to address npm audit message

[boutell]

Fixes:

semver  <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw

Tests pass with this change in place. According to the semver changelog the 7.0 changes are small:

"Refactor module into separate files for better tree-shaking
Drop support for very old node versions, use const/let, => functions, and classes."

By "old versions" they mean very old — "engines" still only specifies 10.x or better.

[ljharb]

Like most CVEs, it's a false positive. We're not using new Range nor are we doing anything that wouldn't be a self-attack (ie, not an attack).

We can't ever bump the semver version because v7 drops support for engines we support, so unless the fix is backported to v6, it'll just have to remain a false positive.

In addition, the semver team is working on a backport to v6, so all you have to do for this to be fixed is "wait".

Duplicate of #2803. Duplicate of #2804. Duplicate of #2805. Duplicate of #2806. Duplicate of #2807. Duplicate of #2808. Duplicate of #2809. Duplicate of #2810.

[boutell]

OK, thanks for the heads-up that semver is backporting this. I appreciate the response! (Which older engines are you still supporting?)

…

On Mon, Jul 10, 2023 at 11:58 AM Jordan Harband ***@***.***> wrote: Closed #2824 <#2824> . — Reply to this email directly, view it on GitHub <#2824 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAH27NAPI6EDWYMWG6BEIDXPQRDXANCNFSM6AAAAAA2ETHYYE> . You are receiving this because you authored the thread.Message ID: ***@***.*** com>

-- THOMAS BOUTELL | CHIEF TECHNOLOGY OFFICER APOSTROPHECMS | apostrophecms.com | he/him/his

[ljharb]

In general, all of them - my eslint plugins rarely go below node 4, but all my other packages go down to node 0.4.

[boutell]

... github, where is the "awed" emoji?