imagemin packages widely depend on unmaintained npm packages

[lopopolo]

Lots of packages in this organization depend on some of the following npm packages:

• https://www.npmjs.com/package/bin-wrapper
• https://www.npmjs.com/package/bin-build
• https://www.npmjs.com/package/bin-check
• https://www.npmjs.com/package/exec-buffer

Based on the last commit date, last npm version publish date, and lack of activity on PRs and issues, I believe these packages are unmaintained. Dependencies are very out of date and PRs are not merged: kevva/bin-build#20, kevva/bin-check#4, and kevva/exec-buffer#10.

These packages have almost a million downloads per week, largely because imagemin packages depend on them.

The packages are fairly simple. Would it be possible to fork them into this organization so they are maintained?

[lopopolo]

See also imagemin/imagemin-gifsicle#48, imagemin/imagemin-mozjpeg#57, imagemin/imagemin-pngquant#75, imagemin/pngquant-bin#118.

[mjpieters]

Please add https://www.npmjs.com/package/logalot to the list.

logalot has not been touched since 2015, and now has a transitive dependency on trim-newlines, which has a high-severity security issue (logalot@2.1.0 -> squeak@1.3.0 -> lpad-align@1.1.2 -> meow@3.7.0 -> trim-newlines@^1.0.0). See kevva/logalot#4, kevva/squeak#4.

The following issues for imagemin packages all relate to this issue:

• Security issue CVE-2021-33623 imagemin-optipng#32
• Dependency update needed to address trim-newlines CVE-2021-33623 imagemin-mozjpeg#63