npm audit security vulnerability in semver <= 7.5.2

[josundt]

npm audit gives warning about the indirect semver dependency:

semver <-- normalize-package-data <-- read-pkg <-- read-pkg-up

Updating to latest version of read-pkg-up should mitigate this.

[Eejit43]

Is there any reason that can't be bumped? If not that would definitely be great to do.

[pcorpet]

It would require to switch eslint-plugin-unicorn to ESM. I'm not sure if this is something that the maintainer wants. @sindresorhus would you consider moving to ESM, can I help?

[sindresorhus]

We cannot use ESM here until we only support the new ESLint flat config.

[sindresorhus]

As with 99% of all audit warnings, this one too does not apply to most projects, including this one: https://overreacted.io/npm-audit-broken-by-design/

There are ways to ignore audit warnings: https://stackoverflow.com/questions/72713764/how-to-ignore-a-package-during-npm-audit

And hopefully even better ways in the future: npm/rfcs#18

[ehoogeveen-medweb]

I believe this specific issue no longer applies, as semver v5.7.2 was released with a backport of the fix for the security vulnerability (changelog, pull request). As a result, npm audit no longer warns.

[samualtnorman]

read-pkg-up is deprecated, maybe this issue should be renamed to be about moving to read-package-up