[BUG] Back-port to v6 the fix for Regular Expression Denial of Service

[joshuanapoli]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

• Current versions of babel depend on semver@^6.3.0. This version has "Vulnerable to Regular Expression Denial of Service " CVE-2022-25883.
• The babel team does not want to upgrade to the fixed version semver@^7.5.2, because it would be a breaking change (see [Bug]: [Security][helper-compilation-targets] Dependency semver version has vulnerability babel/babel#15720).
• The babel team asserts that the "vulnerability" isn't relevant to babel. Unfortunately, this still leaves a burden on all dependent projects to analyze the situation. Is "ReDOS" relevant to me? Am I using vulnerable "semver" outside of babel? These aren't necessarily easy to answer.

Expected Behavior

Would you mind back-porting ReDOS fix to version 6? :-)

Steps To Reproduce

In a project that depends on babel v7:

• npm audit shows a CVE-2022-25883 vulnerability because of semver
• GitHub Security Alerts also show the vulnerability because of semver

Environment

N/A

[wraithgar]

Please see the discussion in #564

Duplicate of #576

[stocaaro]

Where is the open issue tracking the release of the backport work proposed by @joaomoreno on #564?

I understand that there is no process for this (as described on this issue #576 (comment)), but this seems like the right solution to fix this issue for the >46% of semver users who still depend on v5 and v6 via deep dependency trees.