fix: bump semver to ^7.5.3 to fix audit issue

[joaop-br]

Fixes #78 issue with npm audit

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ semver [dev]                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw            │
└───────────────┴──────────────────────────────────────────────────────────────┘

[natan500]

I see that the changes here are in dev dependencies but in the last official version - 4.2.2 on npm website, the semver package is a production dependency.
https://www.npmjs.com/package/cls-hooked?activeTab=readme

[magtutu]

Semver is used in index.js when the module is loaded. Should this be in dependencies instead of devDependencies?

[okoethibm]

The latest release to npm was v4.2.2 in 2017, with a non-dev dependency on semver ^5.4.1
After that, there were multiple changes that never got released, including this commit which moved
semver from dependencies to devDependencies. But that was never released and the latest code still uses semver during module load. Looks strange.

[magtutu]

Does anyone know how to contact the module author?

[declanwoods]

It looks like superagent is also using semver@6, you will also need to upgrade superagent version requirement to ^5.3.1

[lynxSven]

Any update here? should we open a new PR where we change superagents version and semver?
See no reason why this should wait any longer