Vulnerability in transitive dependency trim-newlines
karlhorky opened this issue · comments
Hi there, thanks for this package!
Transitive dependency chain: mozjpeg@6.0.0 -> logalot@2.1.0 -> squeak@1.3.0 -> lpad-align@1.1.2 -> meow@3.7.0 -> trim-newlines@^1.0.0
Vulnerability: GHSA-7p7h-4mm5-852v
Repro:
$ mkdir test-pkg
$ cd test-pkg
$ npm init -y
$ npm install mozjpeg
...
$ npm audit
# npm audit report
trim-newlines <3.0.1 || =4.0.0
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/1753
fix available via `npm audit fix`
node_modules/trim-newlines
meow 3.4.0 - 5.0.0
Depends on vulnerable versions of trim-newlines
node_modules/meow
2 high severity vulnerabilities
To address all issues, run:
npm audit fix
Ref: kevva/logalot#4
Ref: kevva/squeak#4
Ref: kevva/lpad-align#5
This project does not support Node.js. Please report the bug to the person who is repackaging MozJPEG for Node.
Ah sorry, didn't look closely enough at this repo! 🤦♂️
There's an open issue over here in the repo for the mozjpeg
npm package: imagemin/mozjpeg-bin#63