heic-convert
heic-convert copied to clipboard
Vulnerability in "jpeg-js" dependency found
Hi,
could you please Update jpeg-js
to the latest version 0.4.4?
best regards Matthias
Vulnerability found
{
"metadata": null,
"vulnerable_versions": "<0.4.4",
"module_name": "jpeg-js",
"severity": "moderate",
"github_advisory_id": "GHSA-xvf7-4v9q-58w6",
"cves": [
"CVE-2022-25851"
],
"access": "public",
"patched_versions": ">=0.4.4",
"cvss": {
"score": 0,
"vectorString": null
},
"updated": "2022-06-17T01:00:49.000Z",
"recommendation": "Upgrade to version 0.4.4 or later",
"cwe": [
"CWE-835"
],
"found_by": null,
"deleted": null,
"id": 1070904,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-25851\n- https://github.com/jpeg-js/jpeg-js/issues/105\n- https://github.com/jpeg-js/jpeg-js/pull/106/\n- https://github.com/jpeg-js/jpeg-js/commit/9ccd35fb5f55a6c4f1902ac5b0f270f675750c27\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2860295\n- https://snyk.io/vuln/SNYK-JS-JPEGJS-2859218\n- https://github.com/advisories/GHSA-xvf7-4v9q-58w6",
"created": "2022-06-11T00:00:17.000Z",
"reported_by": null,
"title": "Infinite loop in jpeg-js",
"npm_advisory_id": null,
"overview": "The package jpeg-js before 0.4.4 are vulnerable to Denial of Service (DoS) where a particular piece of input will cause to enter an infinite loop and never return.",
"url": "https://github.com/advisories/GHSA-xvf7-4v9q-58w6"
}
I'll update the dependencies on the next release. However, you do know that you can fix this yourself in your lockfile, right? Currently, jpeg-js
is referenced as ^0.4.1
. Anyone installing it today will receive version 0.4.4
when they do. That's kinda the whole point of semver. I don't really need to do anything at this time in order for you to use the latest jpeg-js
. You can do that by just re-installing heic-convert
, or using one of the many automated tools for updating nested dependencies.