Skip to content
This repository has been archived by the owner on Mar 17, 2023. It is now read-only.

Security vulnerability with trim-newlines #347

Closed
rjz-avaleo opened this issue Jun 11, 2021 · 1 comment
Closed

Security vulnerability with trim-newlines #347

rjz-avaleo opened this issue Jun 11, 2021 · 1 comment

Comments

@rjz-avaleo
Copy link

npm audit reported a high security vulnerability for trim-newlines package, which is a transitive dependency of a few dependent packages:

  • image-webpack-loader>imagemin-gifsicle>gifsicle>logalot>squeak>lpad-align>meow>trim-newlines
  • image-webpack-loader>imagemin-mozjpeg>mozjpeg>logalot>squeak>lpad-align>meow>trim-newlines
  • image-webpack-loader>imagemin-optipng>optipng-bin>logalot>squeak>lpad-align>meow>trim-newlines
  • image-webpack-loader>imagemin-pngquant>pngquant-bin>logalot>squeak>lpad-align>meow>trim-newlines
  • image-webpack-loader>imagemin-webp>cwebp-bin>logalot>squeak>lpad-align>meow>trim-newlines
@tcoopman
Copy link
Owner

These are all problems with deeper dependencies.

  1. I don't think these have any risks (how would you exploit this on a webpack loader?)
  2. I try to keep up to date with the dependencies, but some of them are not well maintained (see Consider switching to squoosh #353) so it's not easy to fix.
  3. Pull requests that fix these are always welcome.

I'm closing this, but feel free to open a PR that fixes them or I'm willing to reopen if you can at least give any indication how this can be a risk for a webpack loader.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants