Moderate Vulnerability in used static-eval version

[ekelvin]

Can you please consider upgrading static-eval to version >= 2.0.0 where this vulnerability is patched ?

Moderate Sandbox Breakout / Arbitrary Code Execution
Package static-eval
Patched in >=2.0.0
Dependency of webpack-spritesmith [dev]
Path webpack-spritesmith > spritesmith > pixelsmith >
ndarray-fill > cwise > static-module > static-eval
More info https://nodesecurity.io/advisories/548

[mixtur]

I have no control over static-eval version.
It is burried in transitive dependencies. All I can do is update spritesmith, but it is already at most recent version.
Action must be first taken there https://github.com/scijs/cwise and then in every package before in that dependency chain up until webpack-spritesmith.

Yet I am not sure how that is a vulnerability. Code in this repository will not likely be executed in environment that can compromise something serious... I hope so. I am not a security specialist though.