tile-extruder needs it's deps updated (security vulnerability)

[mreinstein]

would you be open to a PR that updates the deps?

[photonstorm]

Just curious where the security vulnerability actually is, given this is a 100% client-side script that runs as part of your asset workflow. It's worth updating the packages just to keep them current, though, of course.

[mreinstein]

Just curious where the security vulnerability actually is

Right I'm not saying there is definitely a vulnerability that is exploitable; I haven't verified that.
Here is the warning I'm getting (via jimp it would seem):

given this is a 100% client-side script that runs as part of your asset workflow

That's the most likely use case, but it really depends on how one uses this module. :)

It's worth updating the packages just to keep them current, though, of course.

Yes, that's part of the purpose of this issue being opened; to see if this thing is still active and accepting PRs or if it's abandonware. I'm happy to try to help freshen deps but I don't want to spend time digging into changelogs and updating modules only to have it sit in a PR that languishes. Not saying that is a fault of tile-extruder, more endemic to the mausoleum -like state of the js module ecosystem.

[mikewesthad]

Thanks! Late to respond here, but all dependencies have been bumped (some unnecessary ones removed) in the latest release. I closed all the dependabot alerts. After the version bumps, all the remaining vulnerabilities did not apply to the repo - they were from exploits in dependencies from dev dependencies, which are not distributed with this library

[mreinstein]

Thank you for fighting the bit rot! 🥇