npm audit complaints

[papandreou]

Getting a clean sheet from npm audit is presently blocked by:

• Update to bin-build v3 imagemin/optipng-bin#99
• Bump bin-wrapper to version 4 imagemin/pngquant-bin#89
• https://github.com/imagemin/pngcrush-bin using bin-wrapper@^3.0.0, which triggers https://nodesecurity.io/advisories/598
• Same for https://github.com/imagemin/jpegtran-bin/blob/eb9153676f6013c50c7325aee35aa3bc13398595/package.json#L52

[XhmikosR]

@papandreou: these are fixed upstream. Can you update the packages and release a new version?

[XhmikosR]

BTW please don't lock down the versions. If a patch release is made, you need to release a new version yourself too, which is bad. Just use a semver operator that fits your needs.

[papandreou]

Thanks for the heads up! I've been through all of them now, released new versions of the wrappers I maintain, and updated assetgraph-builder to them.

There are still some dependencies on the old versions via the express-processimage dependency. I expect that to be sorted out shortly.

[XhmikosR]

Thnaks! I think you missed a few deps from adding a sevmver operator like assetgraph.

Waiting for the express-processimage fixes :)

[papandreou]

I think you missed a few deps from adding a sevmver operator like assetgraph.

Yeah, that is intentional. The two projects are intimately connected, and whenever we make radical changes to assetgraph (such as replacing the JavaScript parser in yesterday's minor release), there's often breakage in the assetgraph-builder test suite. It's stuff that doesn't matter externally (or we'd make a major version bump), but I've come to prefer to do the updates in a handheld way.

Waiting for the express-processimage fixes :)

It seems like the project is in a bit of a bad state due to some recent changes to streams in node 10, but we'll get it sorted out.

[papandreou]

Sorted out the express-processimage situation now and released 6.9.1. We're down only low and moderate ones now:

found 12 vulnerabilities (6 low, 6 moderate)