[SECURITY] Please merge fixes for vulnerable dependencies

[mhoad]

As of right now installing this plugin results in the following npm audit report as shown below. These upgrades / fixes already exist as pull requests via dependabot, it's just a matter of merging them. I'm not sure who the right person to speak to would be here so I'm just tagging the last 3 people who have merged something with this project in the hopes that it gets some visibility. @sebastianbenz @patrickkettner @saschazar21

Also would you be able to provide any kind of statement as to if this project is under any kind of maintenance, it's not immediately clear and I just wanted to check before proceeding with using it at all.

Thank you for the effort you have put into it already :)

npm audit report

cross-fetch <=2.2.3 || 2.2.5 || 3.0.0 - 3.1.4 || >=3.2.0-alpha.0
Severity: high
Incorrect Authorization in cross-fetch - GHSA-7gc6-qh9x-w6h8
Depends on vulnerable versions of node-fetch
fix available via npm audit fix --force
Will install @ampproject/eleventy-plugin-amp@0.5.3, which is a breaking change
node_modules/cross-fetch
@ampproject/toolbox-core 2.0.0-alpha.0 - 2.8.0
Depends on vulnerable versions of cross-fetch
node_modules/@ampproject/toolbox-core
@ampproject/toolbox-cache-list 2.0.0-alpha.0 - 2.8.0
Depends on vulnerable versions of @ampproject/toolbox-core
node_modules/@ampproject/toolbox-cache-list
@ampproject/toolbox-optimizer 2.0.0-alpha.0 - 2.8.10
Depends on vulnerable versions of @ampproject/toolbox-core
Depends on vulnerable versions of @ampproject/toolbox-validator-rules
Depends on vulnerable versions of cross-fetch
node_modules/@ampproject/toolbox-optimizer
@ampproject/toolbox-runtime-fetch *
Depends on vulnerable versions of @ampproject/toolbox-core
Depends on vulnerable versions of node-fetch
node_modules/@ampproject/toolbox-runtime-fetch
@ampproject/eleventy-plugin-amp >=0.3.0
Depends on vulnerable versions of @11ty/eleventy-img
Depends on vulnerable versions of @ampproject/toolbox-runtime-fetch
node_modules/@ampproject/eleventy-plugin-amp
@ampproject/toolbox-runtime-version 2.0.0-alpha.0 - 2.8.0
Depends on vulnerable versions of @ampproject/toolbox-core
node_modules/@ampproject/toolbox-runtime-version
@ampproject/toolbox-validator-rules <=2.5.4 || 2.7.4 - 2.8.0
Depends on vulnerable versions of cross-fetch
node_modules/@ampproject/toolbox-validator-rules

node-fetch <2.6.7
Severity: high
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor - GHSA-r683-j2x4-v87g
fix available via npm audit fix --force
Will install @ampproject/eleventy-plugin-amp@0.5.3, which is a breaking change
node_modules/@ampproject/toolbox-runtime-fetch/node_modules/node-fetch
node_modules/cross-fetch/node_modules/node-fetch

sharp <0.30.5
Severity: moderate
Possible vulnerability in sharp at 'npm install' time if an attacker has control over build environment - GHSA-gp95-ppv5-3jc5
fix available via npm audit fix --force
Will install @ampproject/eleventy-plugin-amp@0.5.3, which is a breaking change
node_modules/sharp
@11ty/eleventy-img <=1.0.1-beta.1
Depends on vulnerable versions of sharp
node_modules/@11ty/eleventy-img

11 vulnerabilities (7 moderate, 4 high)

[sebastianbenz]

Thanks for flagging this! I just made a new release with updated dependencies.

Also would you be able to provide any kind of statement as to if this project is under any kind of maintenance, it's not immediately clear and I just wanted to check before proceeding with using it at all.

We currently don't have any plans to work on new features.