Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fix for #192
Our team was receiving a dependency security advisory for url-regex, required by the dependency chain:
lqip-loader
→lqip
→jimp
→url-regex
. Althoughjimp
no longer depends onurl-regex
,lqip
was using an older version ofjimp
which did.There are two ways I think this issue can be fixed and I've taken steps along both paths.
My preferred route is to upgrade
jimp
inlqip
, then upgradelqip-loader
and we're done. I've made a PR to lqip to upgrade jimp here.However, since
lqip
andlqip-loader
no longer appear to be supported, I've also forked each of these repos to @Memrise (https://github.com/Memrise/lqip-loader and https://github.com/Memrise/lqip) and made this PR to use@memrise/lqip-loader
instead oflqip
. This is a little more awkward and I'm not 100% confident in my changes but it is a good backup fix.What I'd like is either for a check over of this PR and a merge or suggestion as to how we can get the original lqip-loader upgraded. Longer term, I'd love for there to be a plan for moving away from unsupported dependencies such as these.
Apologies for the formatting changes. I have my editor set to auto-prettify and I noticed you don't yet have a
.prettierrc
so I added one along the way to avoid issues like this in the future. Happy to set up proper CI for this if you think it's a good idea!