Vulnerabilities in dependencies flagged on npm audit

[maries24]

Hello,

I'm using imagemin-cli (7.0.0) and 3 high severity vulnerabilities are flagged by npm on audit.

Here are the details given; they all boil down to the version of trim-newlines package in use.

High: Regular Expression Denial of Service
Package : trim-newlines
Patched in: >=3.0.1 <4.0.0 || >=4.0.1
Dependency of: imagemin-cli
Path: imagemin-cli > imagemin-gifsicle > gifsicle > logalot > squeak > lpad-align > meow > trim-newlines
More info: https://npmjs.com/advisories/1753

High: Regular Expression Denial of Service
Package : trim-newlines
Patched in: >=3.0.1 <4.0.0 || >=4.0.1
Dependency of: imagemin-cli
Path: imagemin-cli > imagemin-jpegtran > jpegtran-bin > logalot > squeak > lpad-align > meow > trim-newlines
More info: https://npmjs.com/advisories/1753

High: Regular Expression Denial of Service
Package : trim-newlines
Patched in: >=3.0.1 <4.0.0 || >=4.0.1
Dependency of: imagemin-cli
Path: imagemin-cli > imagemin-optipng > optipng-bin > logalot > squeak > lpad-align > meow > trim-newlines
More info: https://npmjs.com/advisories/1753

The fix most probably needs to be done at the level of the meow package (I'll flag it there too) but I thought I'd flag it here as it needs to be implemented 'back up' to this package as far as I'm concerned (if that makes sense).

Many thanks!

[matthewdowns]

This repo is no longer maintained :(

[hkjeffchan]

I am maintaining a new version at https://github.com/hkjeffchan/imagemin which includes cjs support and updated dependency if you are interested

[AlonNavon]

Hey @maries24,

We're part of a startup called Seal Security that mitigates software vulnerabilities in older open source versions by backporting/creating standalone security patches - enabling more straightforward remediation in cases like this. Our patches are all open-source and completely free. See our repository.
If you want us to make a vulnerability-free version of trim-newlines, feel free to reach us at info@seal.security.