Semver dependency vulnerable to Regular Expression Denial of Service

[shandli123]

For version 1.1.0 dependency is upon semver ~7.0.0, which is vulnerable to Regular Expression Denial of Service the patch is in 7.5.4, which not seems supported for the above version.

Issue Title: Dependency on outdated semver version (~7.0.0)

Description: The simple-update-notifier package depends on semver@~7.0.0, but I need to use semver@7.5.4 to address certain vulnerabilities. Can this dependency be updated to allow for a more recent version?

Steps to Reproduce:

1. Install simple-update-notifier.
2. Run npm install and check the version of semver being used.

Expected Behavior: The package should allow using a newer version of semver, such as 7.5.4.

[alexbrazier]

Hi @shandli123 , is there a reason why you can't use version 2.0.0 of this package which patches this semver version?

Unfortunately from #19 it looks like bumping the semver version caused nodemon to crash which was the original user of this package. They have since updated to 2.0.0 to fix the issue, but I'm worried that changing this may fix security warnings, but will cause people using the old nodemon to crash.

[shandli123]

Yes, we can just wanted to know if there’s a fix possible in the current version itself.Thanks!