Update `make-dir` to resolve vulnerable dependency

[bloep]

the less.js dependency make-dir is not up-to-date and causes security warning due to its outdated dependency. see https://github.com/advisories/GHSA-c2qf-rxjj-qqgw

$ npm ls semver  
[email protected] project
└─┬ [email protected]
       └── [email protected]

I would suggest updating to a current make-dir version here. A quick search showed that it is only used here, so from my point of view an update should bring little problems. https://github.com/less/less.js/blob/7491578403a5a35464772c730854c3a5169c0de7/packages/less/bin/lessc#L163-L172

[stefandobre]

It appears an outdated version of semver is also referenced as a dev dependency here: https://github.com/less/less.js/blob/4d3189c05175dfd8aab505ec19c7f5724f145295/packages/less/package.json#L100

[stefandobre]

@iChenLei, is there any update on this? If not, would a pull request be welcome?

[Den-dp]

it was fixed on make-dir side, run npm audit fix or try to reinstall less

[jorenbroekema]

it was fixed on make-dir side, run npm audit fix or try to reinstall less

That will only fix it if you use --force because the vulnerability fix has not been done in v2 of make-dir, but rather in the next major(s).

This means it would be best if less can upgrade make-dir to the latest major version.

Dunno if this repo is still maintained but I'd be open to creating a pull request.

[iChenLei]

@jorenbroekema PR welcome

[jorenbroekema]

@iChenLei done https://github.com/less/less.js/pull/4250