Dependency update needed to address trim-newlines CVE-2021-33623

[arborrow]

I was curious how this package was hoping to address CVE-2021-33623.

└─┬ [email protected] (current) └─┬ [email protected] (current) └─┬ [email protected] (current) └─┬ [email protected] (current) └─┬ [email protected] (2.0.0) └─┬ [email protected] (10.0.1) └── [email protected] (

squeak's package.json may want to update lpad-align to 2.* lpad-align's 2.0.0 package.json still references meow 3.3 meow's 10.0.1 package.json requires the patched trim-newlines: "^4.0.1"

If lpad-align is able to update their meow dependency to the latest version 10^ then all should be well. But others may have better solutions. It appears there is an issue for lpad-align requesting an upgrade; however, the last commit to that repository was 4 years ago. lpad-align, squeak and logalot are all maintained by the same person @kevva. It's been several years since a commit on those repositories so they may be no longer actively maintained. I'll see if I can get in touch with @kevva and see if he has any interest in updating things.

If not, it may be best for mozjpeg to rework and drop the dependency upon logalot. Perhaps https://www.npmjs.com/package/better-logging would be a better solution. I will suggest that as a possibility on the mozjpeg project.

Hopefully this helps folks to consider the various options to resolving CVE-2021-33623 in this project.