Security vulnerability with trim-newlines
rjz-avaleo opened this issue · comments
npm audit
reported a high security vulnerability for trim-newlines
package, which is a transitive dependency of a few dependent packages:
- image-webpack-loader>imagemin-gifsicle>gifsicle>logalot>squeak>lpad-align>meow>trim-newlines
- image-webpack-loader>imagemin-mozjpeg>mozjpeg>logalot>squeak>lpad-align>meow>trim-newlines
- image-webpack-loader>imagemin-optipng>optipng-bin>logalot>squeak>lpad-align>meow>trim-newlines
- image-webpack-loader>imagemin-pngquant>pngquant-bin>logalot>squeak>lpad-align>meow>trim-newlines
- image-webpack-loader>imagemin-webp>cwebp-bin>logalot>squeak>lpad-align>meow>trim-newlines
These are all problems with deeper dependencies.
- I don't think these have any risks (how would you exploit this on a webpack loader?)
- I try to keep up to date with the dependencies, but some of them are not well maintained (see #353) so it's not easy to fix.
- Pull requests that fix these are always welcome.
I'm closing this, but feel free to open a PR that fixes them or I'm willing to reopen if you can at least give any indication how this can be a risk for a webpack loader.