Backport updating mkdirp to 5.2.x branch

[G-Rath]

The latest version of the svg-sprite package has mocha ^5.2.0 as a dependency, which means it's being flagged by our security auditors due to mochas extract constraint on mkdirp.

While svg-sprite does appear to be active, there's not a lot of movement currently and they're gearing up for a new major, so it's not a guarantee that they'll have the bandwidth for a patch release.

For mocha, this has been addressed in master & v6; I was wondering if it would be possible to get this update backported to the v5.2.x branch.

I'm happy to create a PR into release/5.2.x if that'd help, but am unsure of the process :)

[juergba]

@G-Rath We are not patching as far back as Mocha@5 which is almost two years old.
I'm sorry.

[jayaddison]

@juergba I'll try to be brief, I appreciate your time and feedback as a maintainer here.

Would it be possible to clarify the maintenance policy via the project charter?

This issue affects a project using a relatively up-to-date node engine (v10.19.0) - but for various reasons it may take time to upgrade mocha.

Versioning and maintenance are problems as old as time itself, so I understand that it's not possible to backport the fix; it could help to document what the policy is so that current and future adopters can (potentially at least) be aware of the support policy.

Thanks again!

[outsideris]

We should make a LTS strategy, but we need more discussion in here.

[jayaddison]

Thanks @outsideris - I'll follow discussion there.