Update to remove the vulnerability introduced by semver-regex?

[evansrobert]

Subject of the issue

find-versions@3.2.0 requires semver-regex@2.0.0, which has a security problem (see: SNYK-JS-SEMVERREGEX-1047770):
find-versions@3.2.0 ➔ semver-regex@2.0.0

I do not know if this vulnerability actually affects find-versions, but it will show up in security reports about dependencies. Since a large number of developers still use find-versions@3.2.*(1,762,377 downloads per week), is there any posibility that you could release an update version for 3.2.* (ie 3.2.1) that introduces a patched version(>=3.1.2) of semver-regex?

In find-versions@3.2.1, maybe you can perform the following update:
semver-regex ^2.0.0 ➔ ^3.1.2
where semver-regex@3.1.2(>=3.1.2) has fixed the vulnerability SNYK-JS-SEMVERREGEX-1047770.

[Levdbas]

Hi @sindresorhus , mind taking a look at this issue?

[sindresorhus]

In find-versions@3.2.1, maybe you can perform the following update:
semver-regex ^2.0.0 ➔ ^3.1.2

That is not possible. server-regex 3 requires Node.js 8, while find-versions 3 requires Node.js 6.

[sindresorhus]

I suggest upgrading find-versions.

[sindresorhus]

The "vulnerability" is a bullshit vulnerability anyway. Not every bug is a security vulnerability.

[sindresorhus]

https://overreacted.io/npm-audit-broken-by-design/