lilconfig in use?

[sbradnick]

Received a CVE notice for lilconfig in xpra-html5, but the references here are for an old version (2.0.4) that (apparently) doesn't have the vuln. The impacted version(s) are "from 3.1.0 and before 3.1.1"

$ grep -ir lilconfig xpra-html5
xpra-html5/package-lock.json:    "node_modules/lilconfig": {
xpra-html5/package-lock.json:      "resolved": "https://registry.npmjs.org/lilconfig/-/lilconfig-2.0.4.tgz",
xpra-html5/package-lock.json:        "lilconfig": "2.0.4",
xpra-html5/package-lock.json:    "lilconfig": {
xpra-html5/package-lock.json:      "resolved": "https://registry.npmjs.org/lilconfig/-/lilconfig-2.0.4.tgz",
xpra-html5/package-lock.json:        "lilconfig": "2.0.4",

So I'm just curious if lilconfig is in use [anymore?]

Thanks!

[totaam]

This is almost 100% identical to #306 so I have now removed this useless lock file.

I don't use any of it and I very much doubt that anyone else is.

I only merged the change (41d3c2d) because, at the time, I thought this was going to help others contribute to the project.
In the end, all it did is make my work much much more painful and I have had to revert much of the changes this had brought in. (like some pretty horrible automated code formatting)