search

imagemin / gifsicle-bin

gifsicle bin-wrapper that makes it seamlessly available as a local dependency
http://www.lcdf.org/gifsicle/
MIT License
112 stars 52 forks source link

bin-wrapper is not maintained, can we depend on something else? #147

Open peterbe opened 12 months ago

peterbe commented 12 months ago

👋 I'm new to this project and don't know much about the community behind it. But I'm concerned about security vulnerability reports coming from deep dependencies. In particular semver-regex

This is how it gets used:

❯ npm ls semver-regex
...
└─┬ imagemin-gifsicle@7.0.0
  └─┬ gifsicle@5.3.0
    └─┬ bin-wrapper@4.1.0
      └─┬ bin-version-check@4.0.0
        └─┬ bin-version@3.1.0
          └─┬ find-versions@3.2.0
            └── semver-regex@2.0.0

Poking around, it seems the buck stops with bin-wrapper. Last commit on that repo was November 2018.

Can we omit/replace bin-wrapper and use something more maintained?

peterbe commented 12 months ago

Perhaps https://www.npmjs.com/package/@mole-inc/bin-wrapper

This is a fork of kevva/bin-wrapper.

...it says :)