I'm not sure how to raise this as it doesn't seem to fit one of the issue types that has a template.

We have a number of repositories that use @wordpress/scripts.

These all have Dependabot reporting "semver vulnerable to Regular Expression Denial of Service" as a moderate security issue that is present in semver < v7.5.2 and fixed in semver v7.5.2

When I try to fix this, I can only get semver up to version 5.7.1 because of dependencies of @wordpress/scripts

The chain of dependencies seems to be:

• @wordpress/scripts@26.6.0 requires npm-package-json-lint: ^5.0.0
• npm-package-json-lint@5.4.2 requires meow: ^6.1.1
• meow@6.1.1 requires normalize-package-data: ^2.5.0
• normalize-package-data@2.5.0 requires semver: 2 || 3 || 4 || 5

Updating npm-package-json-lint to v6.4.0 would fix this:

• npm-package-json-lint@6.4.0 requires meow: ^9.0.0
• meow@9.0.0 requires normalize-package-data: ^3.0.0
• normalize-package-data@3.0.3 requires semver: ^7.3.4

I'd love to try to make a PR for this, but don't know how to do this given the mono-repo nature here.

Are there plans to update this dependency? Can someone that has the repo set up try it and see if it's a breaking change?

Thanks