Update make-dir to resolve vulnerable dependency

[bloep]

the less.js dependency make-dir is not up-to-date and causes security warning due to its outdated dependency.
see GHSA-c2qf-rxjj-qqgw

$ npm ls semver  
[email protected] project
└─┬ [email protected]
       └── [email protected]

I would suggest updating to a current make-dir version here.
A quick search showed that it is only used here, so from my point of view an update should bring little problems.

less.js/packages/less/bin/lessc

Lines 163 to 172 in 7491578

	if (mkdirp === undefined) {
	try {
	mkdirp = require('make-dir');
	} catch (e) {
	mkdirp = null;
	}
	}
	cmd = mkdirp && mkdirp.sync || fs.mkdirSync;
	cmd(dir);

[stefandobre]

It appears an outdated version of semver is also referenced as a dev dependency here:

less.js/packages/less/package.json

Line 100 in 4d3189c

"semver": "^6.3.0",

[stefandobre]

@iChenLei, is there any update on this? If not, would a pull request be welcome?

[Den-dp]

it was fixed on make-dir side, run npm audit fix or try to reinstall less

[jorenbroekema]

it was fixed on make-dir side, run npm audit fix or try to reinstall less

That will only fix it if you use --force because the vulnerability fix has not been done in v2 of make-dir, but rather in the next major(s).

This means it would be best if less can upgrade make-dir to the latest major version.

Dunno if this repo is still maintained but I'd be open to creating a pull request.

[iChenLei]

@jorenbroekema PR welcome

[jorenbroekema]

@iChenLei done #4250