Please fix semver security issue.

[makeupyourmind]

The npm audit report says eslint-plugin-import package has a vulnerability:

Here is a security issue - https://security.snyk.io/package/npm/semver/6.3.0.

Please bump the semver version.

The version of the eslint-plugin-import package that I am using is 2.27.5.
Thanks in advance.

[ljharb]

Like most CVEs, it's a false positive. We're not using new Range nor are we doing anything that wouldn't be a self-attack (ie, not an attack).

We can't ever bump the semver version because v7 drops support for engines we support, so unless the fix is backported to v6, it'll just have to remain a false positive.

[makeupyourmind]

Like most CVEs, it's a false positive. We're not using new Range nor are we doing anything that wouldn't be a self-attack (ie, not an attack).

We can't ever bump the semver version because v7 drops support for engines we support, so unless the fix is backported to v6, it'll just have to remain a false positive.

Sounds sad, but thanks for the answer anyway.

[fernandopioli]

Same case here. It's breaking the CI even it's being a dev dependencie. o/

[christhofer]

How about reopening this issue until the backport fix on Semver completes?
This can avoid further duplicate issues.

Babel & Microsoft team tries to fix Semver v5/6, I see that @ljharb has commented there as well, but seems the Semver team still has no plan to backport the fix.
npm/node-semver/#564
npm/node-semver/#576

[ljharb]

People file duplicate issues for this kind of thing whether there's one open or not, in my experience, and regardless, no issue should ever be filed for this sort of thing. A major upgrade isn't reasonable to request, and if the package backports the fix, nothing needs to be done here.