bin-wrapper is not maintained, can we depend on something else? #147

peterbe · 2023-09-20T16:44:42Z

👋 I'm new to this project and don't know much about the community behind it.
But I'm concerned about security vulnerability reports coming from deep dependencies. In particular semver-regex

This is how it gets used:

❯ npm ls semver-regex
...
└─┬ imagemin-gifsicle@7.0.0
  └─┬ gifsicle@5.3.0
    └─┬ bin-wrapper@4.1.0
      └─┬ bin-version-check@4.0.0
        └─┬ bin-version@3.1.0
          └─┬ find-versions@3.2.0
            └── semver-regex@2.0.0

Poking around, it seems the buck stops with bin-wrapper.
Last commit on that repo was November 2018.

Can we omit/replace bin-wrapper and use something more maintained?

The text was updated successfully, but these errors were encountered:

peterbe · 2023-09-20T16:51:48Z

Perhaps https://www.npmjs.com/package/@mole-inc/bin-wrapper

This is a fork of kevva/bin-wrapper.

...it says :)

Fixes imagemin#147

peterbe added a commit to peterbe/gifsicle-bin that referenced this issue Sep 20, 2023

switch to @mole-inc/bin-wrapper

0d44d52

Fixes imagemin#147

peterbe linked a pull request Sep 20, 2023 that will close this issue

Switch to @mole-inc/bin-wrapper #148

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

bin-wrapper is not maintained, can we depend on something else? #147

bin-wrapper is not maintained, can we depend on something else? #147

peterbe commented Sep 20, 2023

peterbe commented Sep 20, 2023

bin-wrapper is not maintained, can we depend on something else? #147

bin-wrapper is not maintained, can we depend on something else? #147

Comments

peterbe commented Sep 20, 2023

peterbe commented Sep 20, 2023