Update semver version

[Badisi]

Npm's report recommend to update semver dependency version.

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Source: github.com/advisories/GHSA-c2qf-rxjj-qqgw

[ljharb]

Like most CVEs, it's a false positive. We're not using new Range nor are we doing anything that wouldn't be a self-attack (ie, not an attack).

We can't ever bump the semver version because v7 drops support for engines we support, so unless the fix is backported to v6, it'll just have to remain a false positive.

Duplicate of #2803. Duplicate of #2804.

[Badisi]

Sorry for the duplicates.

If by engine you mean node >= 4, don't you think it's time to drop it too ?
Or at least maintain a legacy and latest version of your library ?

[ljharb]

Nope, it'll likely never be time to do so.