update dependencies to non-vulnerable versions

[toufali]

Fixes #99

• reduces vulnerabilities from 16 (6 moderate, 7 high, 3 critical) to 0
• Tests are still passing, but need to confirm all is working as expected with real-world test.
• Most noticeable change may be removal of offline-github-changelog, which caused many vulns. Changelogs can be auto-generated via GitHub tags/releases section – perhaps offline-github-changelog will not be missed?
• semver-regex and got were updated via manual package-lock.json update (which is frowned upon). Both are deps of pngquant-bin which doesn't appear to have (or will) resolve the vulns.
• package-lock generation was disabled 4 years ago. In order to resolve vulnerabilities, this was re-enabled.

[papandreou]

I'd rather not let go of offline-github-changelog -- could we fix those problems over at https://github.com/sunesimonsen/offline-github-changelog instead? I'm a co-maintainer, so can help get fixes landed quickly.

Also, I don't want to introduce a package lock file here. It's ignored when pngquant is installed as a dependency anyway, so I doubt that it actually gets rid of the security vulnerabilities in that context.

[toufali]

Interesting point about lock file being ignored when installed as a dependency – I didn't know that!

In that case, pngquant-bin seems like it's going to be the hold-out in terms of resolving vulnerabilities, unless you're a co-maintainer on that too 😉

As for offline-github-changelog the vuln I see on my end is with @transformation/ejs. It looks like there's already a PR to upgrade this:

https://github.com/sunesimonsen/offline-github-changelog/pull/80

I see a bunch more "bump" PRs in offline-github-changelog, but it's possible that just merging the one above would resolve the issue in this repo 🤞

Actually on further examination I think even the latest @transformation/ejs is using a vulnerable version of ejs, so who knows: https://github.com/sunesimonsen/transformation/blob/40d752aee34b08ce69296fc8c54d015614df8d2e/packages/ejs/package.json#L22

ejs  <3.1.7
Severity: critical
ejs template injection vulnerability - https://github.com/advisories/GHSA-phwq-j96m-2c2q

[papandreou]

I merged that and updated a bunch of other stuff, released offline-github-changelog@3.0.0, then updated to that on master. Also updated pngquant-bin to the latest version. How does it look now?

[toufali]

With your update to offline-github-changelog I now see 15 vuln instead of 16 upon install. Unfortunately the package @transformation/ejs (used by offline-github-changelog@3.0.0) is still tied to a critical version of ejs ( <3.1.7 ) https://github.com/sunesimonsen/transformation/blob/40d752aee34b08ce69296fc8c54d015614df8d2e/packages/ejs/package.json#L22

The maintainer of @transformation/ejs would need to update ejs to 3.1.7 or higher.

We could further reduce vulnerabilities down to 12 by upgrading Mocha to 10.1.0 or higher: https://github.com/papandreou/node-pngquant/pull/101

That should only leave pngquant-bin and offline-github-changelog with ~12vulnerabilities (3 of which are critical).

[papandreou]

@toufali, @transformation/ejs version 6.0.1 got released with the ejs dependency bumped.

[toufali]

Hey @papandreou that's a good upgrade!

I was weary of pngquant-bin vulnerabilities and lack of Node 18 support, so I switched to webp. 😬

[papandreou]

Haha, that's also a fine outcome. If I were to build an image processing pipeline with node.js today, I'd probably reach for WASM-based builds of these tools.