Next release?

[andy128k]

The latest version of favicons appears in npm audit as a vulnerable to different kinds of attack because of its dependencies.
It seems, code in master branch got rid of those issues (by dropping of to-ico and jimp). It would be great to have a release and solve these issues for downstream.

Additionally, this package is declared as gulpfriendly and has tests of usage it with gulp. But there are still 7 issues reported by npm audit which are linked to gulp.

It there some list of issues which block next release?

[alexander-akait]

I think we will finish browserslist support, but we can do release right now if you want, even more I can add permission to do release, so you can do it without me

[andy128k]

I am not sure if browserlist is actually needed.

1. Android Chrome icons depend on device's DPI, not on a browser's version
2. Apple icons and splash screens also depend on device, not a browser.
3. Windows platform is not a browser.
4. Yandex browser wants a single image and this may be turned on/off completely.
5. For standard icons favicons generates bare minimum.

[alexander-akait]

@andy128k Can you give me npm name?

[alexander-akait]

Found you, added https://www.npmjs.com/package/favicons/access, feel free to do release 👍

[mureni]

Any update on when the new release will be available? The audit headaches from the to-ico dependency are driving me nuts!

[andy128k]

@mureni A version 7.0.0-beta.1 is already released.
Here is also a PR to one of downstream packages to test it.

[drolsen]

What was the decision for 7.0.0-beta.1's dist/ files to move over to being ESModules vs. well established require like on 6.2.2?
I've got a downstream package (node 14.17.0) that I for the life of me can't seem to get working using 7.0.0-beta.1 cause dist/ is now all ESModules.

[andy128k]

See #355

[nrthbound]

What's the overall status of this? Been quite some time, is this scheduled to be part of the main release sometime soon? Thanks.

[synedra-mpe]

yarn audit v1.22.17
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ critical      │ Prototype Pollution in minimist                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=1.2.6                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ favicons                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ favicons > to-ico > resize-img > jimp > mkdirp > minimist    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1067342                     │
└───────────────┴──────────────────────────────────────────────────────────────┘

An update would really be encouraged.