npm audit security vulnerability in semver <= 7.5.2

[josundt]

Please update this dependency to mitigate issue.

[ljharb]

Like most CVEs, it's a false positive. We're not using new Range nor are we doing anything that wouldn't be a self-attack (ie, not an attack).

We can't ever bump the semver version because v7 drops support for engines we support, so unless the fix is backported to v6, it'll just have to remain a false positive.

Duplicate of #2803. Duplicate of #2804. Duplicate of #2805. Duplicate of #2806. Duplicate of #2807. Duplicate of #2808. Duplicate of #2809.

[1EDExg0ffyXfTEqdIUAYNZGnCeajIxMWd2vaQeP]

The babel team has backported the fix to semver v6, can we use that? babel/babel#15742

[ljharb]

oof, I’d rather not, altho that’s a technically viable path forward. For now, you can do that yourself using npm overrides.