Latest version depends on vulnerable packages

[dead-claudia]

Output of npm audit

# npm audit report

debug  <2.6.9
Regular Expression Denial of Service in debug - https://github.com/advisories/GHSA-gxpj-cx7g-858c
fix available via `npm audit fix --force`
Will install prebuildify-cross@3.1.2, which is a breaking change
node_modules/docker-run/node_modules/debug
  docker-run  *
  Depends on vulnerable versions of debug
  node_modules/docker-run
    prebuildify-cross  >=4.0.0
    Depends on vulnerable versions of docker-run
    node_modules/prebuildify-cross

trim-newlines  <3.0.1
Severity: high
Regular Expression Denial of Service in trim-newlines - https://github.com/advisories/GHSA-7p7h-4mm5-852v
fix available via `npm audit fix`
node_modules/trim-newlines
  meow  3.4.0 - 5.0.0
  Depends on vulnerable versions of trim-newlines
  node_modules/meow

5 vulnerabilities (3 low, 2 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

• The last update to docker-run was over 5 years ago. It may be best to fork the dependency and/or reimplement it locally.
• Not sure why trim-newlines didn't install the latest version. npm audit fix doesn't address it, though.

[vweevers]

Most if not all people are using prebuildify-cross in CI, which (correct me if I'm wrong) is not an environment in which ReDoS vulnerabilities matter. Similarly, if you are using prebuildify-cross locally, I doubt these vulnerabilities can do any harm because every input is yours. If you are using prebuildify-cross in a public-facing server, taking user input, then I'd say it's your responsibility to sanitize user input (etc).

That said, if updating dependencies here can remove the vulnerabilities, then a PR is welcome.