appium icon indicating copy to clipboard operation
appium copied to clipboard

Published 20 hours ago verified publisher icon appium

we need to talk about jimp

Open boneskull opened this issue 2 years ago • 6 comments

The problem

Jimp is unmaintained and contains "high severity" vulnerabilities in its dependencies. Both @appium/images-plugin and @appium/opencv depend upon Jimp.

Let's assume no security or bugfixes are forthcoming. We will need to take action (though I'm unclear on the urgency), and have some options:

  1. Offer to maintain Jimp. This makes sense if we think we have the bandwidth to do so (probably not) and we have the domain knowledge (I don't, but maybe someone else does).
  2. Replace Jimp with something else. Options include (but are not limited to) sharp and... I am not sure what else. image-js is a pure-JS solution which sounds promising, but is not popular. sharp is a native module, which may make installation painful. However, it seems to be well-maintained--and they publish binaries for M1 Macs--so maybe it won't be so bad.
  3. Research the feasibility of copy/pasting our way out of it by pulling the bits we need from Jimp and its dependencies.

From here, replacing it with sharp seems like a reasonable option, but will likely be a not-insignificant effort due to needing to refactor everything to work with its API.

boneskull avatar Jul 08 '22 20:07 boneskull

If we do go the sharp route, #16992 should be abandoned entirely

boneskull avatar Jul 08 '22 20:07 boneskull

I like the idea of moving to a more maintained module, however building native extensions has been an issue in the past (a severe issue with opencv4nodejs) so I'd want to make sure Sharp builds easily and without issue on all the os/node versions we expect, with no user fiddling.

jlipps avatar Jul 12 '22 22:07 jlipps

I'd say then if we were to attempt to adopt sharp, adding mac intel & ARM (along w/ windows) to the CI matrix would be a requirement.

boneskull avatar Jul 20 '22 19:07 boneskull

...a problem with that is GH does not offer ARM Macs and we'd have to self-host a machine. Feel like throwing down for a mac mini?

boneskull avatar Jul 20 '22 19:07 boneskull

how easy is it to add a custom executor to a github CI job? is it even possible to throw our own hardware at it?

jlipps avatar Jul 25 '22 22:07 jlipps

I could not figure out what is the solution to my problem #17433 by looking at this ticket and mine has been already closed as a duplicate. Can some one please help me out here as I am still stuck with those 8 vulnerabilities and because of that even "Appium" is not getting recognised as internal or external command

AT1990 avatar Aug 31 '22 00:08 AT1990

FWIW, Jimp is becoming more maintained as-of late. There's a new call for maintainers, which has been getting a fair bit of response (including from myself).

https://github.com/jimp-dev/jimp/issues/1128

This is not to say that it's perfect or will be solved overnight, but that we're working on it and hope to improve it over time

crutchcorn avatar Feb 05 '23 03:02 crutchcorn

@crutchcorn Thanks for the heads-up. I'll keep an eye on it. I'm not sure I love the idea of a "total rewrite" as tossed around in that issue, but this reduces the urgency to migrate away (not that there was a ton of urgency in the first place).

boneskull avatar Mar 30 '23 17:03 boneskull

No jimp - no talk ;)

mykola-mokhnach avatar Oct 19 '23 06:10 mykola-mokhnach