sindresorhus / meow

🐈 CLI app helper
MIT License
3.54k stars 151 forks source link

Vulnerability in dependency trim-newlines #200

Closed maries24 closed 3 years ago

maries24 commented 3 years ago

Hello,

An Npm audit flags the following vulnerabilities when I install imagemin-cli, which depends on meow, which in turns depends on trim-newlines.

Here are the details given; they all boil down to the version of trim-newlines package in use.

High: Regular Expression Denial of Service
Package : trim-newlines
Patched in: >=3.0.1 <4.0.0 || >=4.0.1 Dependency of: imagemin-cli
Path: imagemin-cli > imagemin-gifsicle > gifsicle > logalot > squeak > lpad-align > meow > trim-newlines More info: https://npmjs.com/advisories/1753

High: Regular Expression Denial of Service
Package : trim-newlines
Patched in: >=3.0.1 <4.0.0 || >=4.0.1 Dependency of: imagemin-cli
Path: imagemin-cli > imagemin-jpegtran > jpegtran-bin > logalot > squeak > lpad-align > meow > trim-newlines
More info: https://npmjs.com/advisories/1753

High: Regular Expression Denial of Service
Package : trim-newlines
Patched in: >=3.0.1 <4.0.0 || >=4.0.1 Dependency of: imagemin-cli
Path: imagemin-cli > imagemin-optipng > optipng-bin > logalot > squeak > lpad-align > meow > trim-newlines
More info: https://npmjs.com/advisories/1753

Would it be possible to upgrade trim-newlines to the recommended version?

Many thanks!

sindresorhus commented 3 years ago

The latest meow version is already using the latest trim-newlines version.