Security vulnerability with normalize-url

[rjz-avaleo]

npm audit reported a high security vulnerability for normalize-url package, which is a transitive dependency of a few dependent packages:

• image-webpack-loader>imagemin-gifsicle>gifsicle>bin-wrapper>download>got>cacheable-request>normalize-url
• image-webpack-loader>imagemin-mozjpeg>mozjpeg>bin-wrapper>download>got>cacheable-request>normalize-url
• image-webpack-loader>imagemin-optipng>optipng-bin>bin-wrapper>download>got>cacheable-request>normalize-url
• image-webpack-loader>imagemin-pngquant>pngquant-bin>bin-wrapper>download>got>cacheable-request>normalize-url
• image-webpack-loader>imagemin-webp>cwebp-bin>bin-wrapper>download>got>cacheable-request>normalize-url

[KidsOnShred]

We would also like this to be patched 🙏

[tcoopman]

These are all problems with deeper dependencies.

1. I don't think these have any risks (how would you exploit this on a webpack loader?)
2. I try to keep up to date with the dependencies, but some of them are not well maintained (see Consider switching to squoosh #353) so it's not easy to fix.
3. Pull requests that fix these are always welcome.

I'm closing this, but feel free to open a PR that fixes them or I'm willing to reopen if you can at least give any indication how this can be a risk for a webpack loader.