Dependency update needed to address trim-newlines CVE-2021-33623 #63
Comments
arborrow
changed the title
This was referenced Jun 10, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I was curious how this package was hoping to address CVE-2021-33623.
└─┬ [email protected] (current)
└─┬ [email protected] (current)
└─┬ [email protected] (current)
└─┬ [email protected] (current)
└─┬ [email protected] (2.0.0)
└─┬ [email protected] (10.0.1)
└── [email protected] (
squeak's package.json may want to update lpad-align to 2.*
lpad-align's 2.0.0 package.json still references meow 3.3
meow's 10.0.1 package.json requires the patched trim-newlines: "^4.0.1"
If lpad-align is able to update their meow dependency to the latest version 10^ then all should be well. But others may have better solutions. It appears there is an issue for lpad-align requesting an upgrade; however, the last commit to that repository was 4 years ago. lpad-align, squeak and logalot are all maintained by the same person @kevva. It's been several years since a commit on those repositories so they may be no longer actively maintained. I'll see if I can get in touch with @kevva and see if he has any interest in updating things.
If not, it may be best for mozjpeg to rework and drop the dependency upon logalot. Perhaps https://www.npmjs.com/package/better-logging would be a better solution. I will suggest that as a possibility on the mozjpeg project.
Hopefully this helps folks to consider the various options to resolving CVE-2021-33623 in this project.
The text was updated successfully, but these errors were encountered: