npm-run-all2 is reported as having a moderate severity vulnerabilty

[langthiennhai]

As of today (03 July 2023), running npm audit on a project that uses npm-run-all2 results in the following audit report:

npm audit report

semver <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw
No fix available
node_modules/eslint-plugin-import/node_modules/semver
node_modules/semver
eslint-plugin-import >=2.27.4
Depends on vulnerable versions of semver
node_modules/eslint-plugin-import
normalize-package-data <=2.5.0
Depends on vulnerable versions of semver
node_modules/normalize-package-data
read-pkg <=5.2.0
Depends on vulnerable versions of normalize-package-data
node_modules/read-pkg
npm-run-all2 *
Depends on vulnerable versions of read-pkg
node_modules/npm-run-all2

Trying npm audit fix --force does not work, at least not for me.

A fix for semver is available: https://github.com/npm/node-semver/releases/tag/v7.5.3

Please update npm-run-all's dependency tree to address this vulnerability.

[bcomnes]

Need to go through and do some updates to some packages that went esm only. Unfortunately this is non-trivial, so I haven't had time. A PR would be appreciated here if you need this asap. The vulns are not an issue for these us cases however.

[bcomnes]

Ok, I updated the esm only deps in #114 Will be out in the next release.