stripes-core has this dependency:
jimp >= 0.3.0 no longer has the url-regex dependency: https://github.com/oliver-moran/jimp/commit/a13e939b57a4e2b9ec9192c43e807cd456e6e4f9
resize-img >= 2.0.0 depends on "jimp": "^0.8.3".
to-ico 1.1.5 is the latest version and still depends on resize-img "^1.1.0". There is a pull request with a fix https://github.com/kevva/to-ico/pull/19 but the repository has been unmaintained since August 2017.
The favicons maintainers say: "But in fact this vulnerability is not harmful because this package doesn't interact with the outside world and is used only locally." https://github.com/itgalaxy/favicons/issues/322