v5 causes an unnecessary breakage where you could still provide a default export of trimNewlines so that people don't get things like:

✖ stylelint scss:
file:///home/neale/dev/solum/solum-xplain-ui/node_modules/stylelint/node_modules/meow/index.js:9
import trimNewlines from 'trim-newlines';
       ^^^^^^^^^^^^
SyntaxError: The requested module 'trim-newlines' does not provide an export named 'default'

It should be commit b10d5f4 according to npm metadata, but that's not in the repo currently.

• trimNewlines
• trimNewlinesStart
• trimNewlinesEnd

I'm unlikely to do this anytime soon, but this is a reminder for the next major version.

I received some security warnings

`trim-newlines` before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.

$ npm ls trim-newlines

...
└─┬@commitlint/[email protected]
  └─┬ @commitlint/[email protected]
    └─┬ @commitlint/[email protected]
      ├─┬ [email protected]
        └── [email protected]

└─┬ [email protected]
  └─┬ [email protected]
    └── [email protected]

└─┬ [email protected]
  └─┬ @lerna/[email protected]
    └─┬ @lerna/[email protected]
      ├─┬ [email protected]
      │ ├─┬ [email protected]
      │ │ └─┬ [email protected]
      │ │   └── [email protected] 
      │ ├─┬ [email protected]
      │ │ └─┬ [email protected]
      │ │   └── [email protected] 
      │ └─┬ [email protected]
      │   └─┬ [email protected]
      │     └── [email protected] 
      └─┬ [email protected]
        └─┬ [email protected]
          └── [email protected] 

For many web projects @commitlint/cli,stylelint, lerna are common and basic dependencies

I have some questions about this and whether we need to spend so much effort to upgrade

Even lerna doesn't have an available version to solve this problem

I want to make sure that this is really a serious problem ?

Using this package in Node JS with any other packages written in CJS is hardly possible.
Would be cool to have both formats in one package.

It's as easy as adding to package.json:

"exports": {
    ".": {
      "require": "./index.cjs", // CJS
      "import": "./index.mjs"   // ESM
    }
}

Source: https://antfu.me/posts/publish-esm-and-cjs

I see a lot of packages, that migrate to ESM without providing any backward compatibility, rendering those packages almost impossible to use in a real dev environment.

If you are not sure, that still supporting CJS is a good thing, take a look at package statistics:

It's 17x more downloads for CJS version than ESM one.

Hi! I'm here because of a dependabot alert on a project using stylelint which ends up depending on this package.

$ npm ls trim-newlines
...
└─┬ [email protected]
  └─┬ [email protected]
    └── [email protected]

essence The security issue that claims to have been fixed in 25246c6 does not exist.

Rather than diving into the details of how exponential backtracking can happen with regexps (and whether that's really worth a CVE in the first place), it's pretty easy to show the original code was not affected. Just revert your implementation change and re-run the tests you added - they still pass. Get them to print timings - the time for all input sizes is ~0ms.

It's not clear to me how CVE-2021-33623 was reported and assigned. Some kind of external CVE stuffing exercise?

As this just seems to be a library you made to help your own projects I'm not going wave left-pad around too much, but will point out the original (and perfectly fine) implementation is 4 lines of code.