3.x release supporting recent semver?

[PeterJCLaw]

I realise that with v4 now being released the 3.x series is no longer the latest, however a number of users are still stuck on the 3.x series due to the Node version requirement. (For my use-case the chain is: cspell 6.x -> configstore 5.x -> make-dir 3.x; each package along the chain has its own reasons for not picking up a major version bump of the dependent package; streetsidesoftware/cspell#4594, yeoman/configstore#89).

As far as I can tell the 6.x to 7.x version bump of semver isn't breaking to the usages in make-dir, so I'm expecting that cherry-picking 777eed3 then releasing a 3.x would suffice. Would you be up for doing that? (I'd be happy to create a PR if that's useful, though given the size of the change I'm assuming it's not particularly so)

[sindresorhus]

The semver vulnerability does not apply to make-dir as it does not use semver with untrusted user-input. I understand you want the vulnerability gone from npm audit, but I don't want to waste all my maintainer time on bumping dependencies for "vulnerabilities" that in reality affect no one.

https://overreacted.io/npm-audit-broken-by-design/

[otacke]

It seems that Nicolò Ribaudo is going to create a pull request to fix the issue in version 6 of semver in order to please npm audit.