npm-run-all2 is reported as having a moderate severity vulnerabilty

[langthiennhai]

As of today (03 July 2023), running npm audit on a project that uses npm-run-all2 results in the following audit report:

npm audit report

semver <7.5.2 Severity: moderate semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw No fix available node_modules/eslint-plugin-import/node_modules/semver node_modules/semver eslint-plugin-import >=2.27.4 Depends on vulnerable versions of semver node_modules/eslint-plugin-import normalize-package-data <=2.5.0 Depends on vulnerable versions of semver node_modules/normalize-package-data read-pkg <=5.2.0 Depends on vulnerable versions of normalize-package-data node_modules/read-pkg npm-run-all2 * Depends on vulnerable versions of read-pkg node_modules/npm-run-all2

Trying npm audit fix --force does not work, at least not for me.

A fix for semver is available: https://github.com/npm/node-semver/releases/tag/v7.5.3

Please update npm-run-all's dependency tree to address this vulnerability.

[bcomnes]

Need to go through and do some updates to some packages that went esm only. Unfortunately this is non-trivial, so I haven't had time. A PR would be appreciated here if you need this asap. The vulns are not an issue for these us cases however.

[bcomnes]

Ok, I updated the esm only deps in https://github.com/bcomnes/npm-run-all2/pull/114 Will be out in the next release.