Dependency update needed to address trim-newlines CVE-2021-33623

[arborrow]

I was curious how this package was hoping to address CVE-2021-33623.

└─┬ imagemin-mozjpeg@9.0.0 (current)
└─┬ mozjpeg@7.1.0 (current)
└─┬ logalot@2.1.0 (current)
└─┬ squeak@1.3.0 (current)
└─┬ lpad-align@1.1.2 (2.0.0)
└─┬ meow@3.7.0 (10.0.1)
└── trim-newlines@1.0.0 (

squeak's package.json may want to update lpad-align to 2.*
lpad-align's 2.0.0 package.json still references meow 3.3
meow's 10.0.1 package.json requires the patched trim-newlines: "^4.0.1"

If lpad-align is able to update their meow dependency to the latest version 10^ then all should be well. But others may have better solutions. It appears there is an issue for lpad-align requesting an upgrade; however, the last commit to that repository was 4 years ago. lpad-align, squeak and logalot are all maintained by the same person @kevva. It's been several years since a commit on those repositories so they may be no longer actively maintained. I'll see if I can get in touch with @kevva and see if he has any interest in updating things.

If not, it may be best for mozjpeg to rework and drop the dependency upon logalot. Perhaps https://www.npmjs.com/package/better-logging would be a better solution. I will suggest that as a possibility on the mozjpeg project.

Hopefully this helps folks to consider the various options to resolving CVE-2021-33623 in this project.