yob
commented
2 years ago A new release that allows cwebp-bin to be >= 6.1.2 would be super useful.
Prior to that version cwebp-bin depends on the seemingly abandoned logalot, which pulls in a hilariously large number of outdated dependencies. Including (eventually) trim-newlines, which has a DOS vulnerability: https://github.com/advisories/GHSA-7p7h-4mm5-852v
Dependency cwebp-bin was upgraded to 6.0.0 on May 29th, but a new version of this library was not released, so upstream dependencies are flagging this for an npm security audit.