Vulnerable Dependencies

[BravishkaSkytano]

When I ran npm i eleventy-favicon I got a warning about vulnerabilities regarding the plugin. From what I understand, eleventy-favicon depends on vulnerable versions of to-ico, which depends on vulnerable versions of resize-img, which depends on vulnerable versions of jimp and so on.

minimist  <0.2.1 || >=1.0.0 <1.2.3
Prototype Pollution - https://npmjs.com/advisories/1179
No fix available
node_modules/jimp/node_modules/minimist
  mkdirp  0.4.1 - 0.5.1
  Depends on vulnerable versions of minimist
  node_modules/jimp/node_modules/mkdirp
    jimp  0.2.18 - 0.3.5
    Depends on vulnerable versions of mkdirp
    Depends on vulnerable versions of url-regex
    node_modules/jimp
      resize-img  <=1.1.2
      Depends on vulnerable versions of jimp
      node_modules/resize-img
        to-ico  >=1.1.0
        Depends on vulnerable versions of resize-img
        node_modules/to-ico
          eleventy-favicon  *
          Depends on vulnerable versions of to-ico
          node_modules/eleventy-favicon

url-regex  *
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/1550
No fix available
node_modules/url-regex
  jimp  0.2.18 - 0.3.5
  Depends on vulnerable versions of mkdirp
  Depends on vulnerable versions of url-regex
  node_modules/jimp
    resize-img  <=1.1.2
    Depends on vulnerable versions of jimp
    node_modules/resize-img
      to-ico  >=1.1.0
      Depends on vulnerable versions of resize-img
      node_modules/to-ico
        eleventy-favicon  *
        Depends on vulnerable versions of to-ico
        node_modules/eleventy-favicon

[NJAldwin]

I was able to work around this in my favicons plugin by switching to png-to-ico, which seems to be a drop-in replacement.