search

imagemin / gifsicle-bin

gifsicle bin-wrapper that makes it seamlessly available as a local dependency
http://www.lcdf.org/gifsicle/
MIT License
113 stars 52 forks source link

remove logalot #121

Closed romainmenke closed 3 years ago

romainmenke commented 3 years ago

not counting dev dependencies

- 230 packages
+ 179 packages

logalot was only used in the postinstall script and did not add any real value. Less dependencies means less surface for security issues.

https://www.npmjs.com/advisories/1753

fuqua commented 3 years ago

@1000ch @kevva

romainmenke commented 3 years ago

Maybe useful to someone, we ended up removing everything from imagemin as a result of this issue. Too many times have we seen security alerts caused by libraries importing random logging utilities.

We are now just using https://github.com/GoogleChromeLabs/squoosh cli

1000ch commented 3 years ago

@fuqua @romainmenke Sorry for the late response,

I think we want to fix logalot itself ideally, but it should be fixed with native console at the moment, because logalot is not critical for the module feature at least. Let me fix imagemin modules in this way. cc: @sindresorhus @kevva

romainmenke commented 3 years ago

@1000ch why not use console directly here?

1000ch commented 3 years ago

Sorry, I'm not sure about the original intention... but guessing to provide better logging UI with better functionality.

sindresorhus commented 3 years ago

I think just using console.log is fine for this purpose.