Replace bin-wrapper

[abejfehr]

There's some vulnerabilities in got (CVE-2022-33987) and http-cache-semantics (CVE-2022-25881), which are transitive dependencies of this package:

imagemin-pngquant#pngquant-bin#bin-wrapper#download#got#cacheable-request#http-cache-semantics

It looks like neither download nor bin-wrapper (both by the same user) are maintained anymore and were last published a really long time ago.

Would it be possible to find an alternative for this functionality to mitigate these vulnerabilities?

[AlonNavon]

Hey @abejfehr ,

We're part of a startup called Seal Security that mitigates software vulnerabilities in older open source versions by backporting/creating standalone security patches - enabling more straightforward remediation in cases like this. We just created a got 6.7.1-sp1 that solves the same CVE-2022-33987 and we're going to upload it tomorrow to our open-source repository. Like all our patches, it's completely free to use and open-source.
If you want us to make a vulnerability-free version of 8.3.2, which is what this library appears to be using, feel free to reach us at [email protected].