Backport GHSA-3xgq-45jj-v275

[G-Rath]

I hate to be "that guy" but what are the chances of getting the security fix backported to at least v6? that version is still mentioned by the readme as the way to go if you need to support less than node v7, and has had ~20,060,800 downloads in the last 7 days so clearly very popular.

Ideally it would be great to have backported for v5, v4, and v3 as well but I know it's annoying to do and ideally people should be upgrading.

It looks to me like the updated regex should apply safely to at least the v6 version - please let me know if there is anything I can do to reduce the effort from you to do the backporting.

(also thanks for your work on this library - I know these can be annoying to deal with, especially these kind of vulnerabilities which tend to only be exploitable in very rare situations; sadly for security compliance reasons we've got to get these patched regardless which is why having a backport or two would help greatly)

[satazor]

[email protected] was published with the backport

[G-Rath]

amazing thanks @satazor - I've made github/advisory-database#5021 updating the advisory to reflect that

huge thanks again and ❤️ for doing this!