fix: update semantic-release version

[kspeyanski]

We have recently received a security-vulnerability notification from dependabot in the kendo-react-private repository, about CVE-2020-26226. Due to the way dependabot works (checks for vulnerabilities after a commit), we would be seeing the notification in other repositories soon.

Updating the package to version 17.2.3 would be enough for patching the vulnerability and should not require any changes from our side (at least from my local testing). Updating to latest(18) would require us to bump the node version ot >14 which I'm afraid is not possible at the moment.

[ipeshev]

It will break what could be broken.

[kspeyanski]

Any ideas of how can we further test this without breaking every single repo in the organization?

[ipeshev]

Branch and release in different channel semantic-prerelease@break, but before that heavy local testing, for major packages in various suites.

[kspeyanski]

The latest commit adds dependencies which were present in v6 of semantic-release but not in v17 and we're still somewhat using them.

The semantic-release-dry-run command in the kendo-react-private repo works with MISSING GITHUB/NPM TOKEN error, which is somewhat expected as I'm intentionally not passing them to avoid accidental release from my local machine.

[tsvetomir]

Migration to the latest semantic release version is a noble idea, but it would take a deep look into how their plugin system works now.

The CVE has no impact on customers whatsoever, as it only concerns build logs which are private to us.

[kspeyanski]

@tsvetomir Do you suggest ignoring the warning for now?

I'm totally OK with this, but wanted to start out a discussion, even if a PR was not the best place for it.

[tsvetomir]

Closing, ad it's not possible to override the major version from a plugin in the latest semantic-release versions.
See semantic-release/semantic-release#1507 and semantic-release/semantic-release#2641.