nsfwjs icon indicating copy to clipboard operation
nsfwjs copied to clipboard

Published 20 hours ago verified publisher icon infinitered

Package vulnerabilities

Open NViviers opened this issue 2 years ago • 10 comments

When installing version 2.4.1 NPM reports 4 total vulnerabilities, 3 moderate and 1 high.

node_modules/jpeg-js
  get-pixels-frame-info-update  *
  Depends on vulnerable versions of jpeg-js
  node_modules/get-pixels-frame-info-update
    @nsfw-filter/gif-frames  *
    Depends on vulnerable versions of get-pixels-frame-info-update
    node_modules/@nsfw-filter/gif-frames
      nsfwjs  >=2.3.0
      Depends on vulnerable versions of @nsfw-filter/gif-frames
      node_modules/nsfwjs

Can we get a fix on this?

NViviers avatar Sep 01 '22 13:09 NViviers

Can you get me a list based off of installing master? That way I can know what to get fixed in order to do a fresh release?

Some of these will most-likely resolve with using master.

GantMan avatar Sep 01 '22 14:09 GantMan

I do have a plan to get snyk working on the repo to catch these early, but I hit a few snags.

GantMan avatar Sep 01 '22 14:09 GantMan

Do you mean this?

npm WARN deprecated [email protected]: this library is no longer supported
npm WARN deprecated [email protected]: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142

Let me know how to get what you want, and I'll be happy to help

NViviers avatar Sep 01 '22 14:09 NViviers

Try release 2.4.2 and let me know if it fixes things.

GantMan avatar Sep 01 '22 14:09 GantMan 

npm WARN deprecated [email protected]: this library is no longer supported
npm WARN deprecated [email protected]: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142 

added 143 packages, and audited 144 packages in 6s

12 packages are looking for funding
  run `npm fund` for details

4 vulnerabilities (3 moderate, 1 high)

NViviers avatar Sep 01 '22 14:09 NViviers

I have Snyk running on my local machine. So now I can see the 4 vulnerabilities and identify when they are removed.

Most critical errors come from the ability to detect GIF frames. If you're not using the classifyGif functionality, these security issues are not a problem.

If you'd like to fix these - can you send a pull-request to https://github.com/nsfw-filter/gif-frames to update their dependencies? When they update, I'll point NSFWJS to the latest.

GantMan avatar Sep 01 '22 15:09 GantMan

Thank you for checking them.. Is this pull request perhaps trying to fix this problem?

NViviers avatar Sep 01 '22 15:09 NViviers

That looks correct. Seems everyone is too busy, hahahaha.

GantMan avatar Sep 01 '22 15:09 GantMan

image

I am having a vulnerability issue in the request package used by [email protected]

pprathameshmore avatar Aug 01 '23 09:08 pprathameshmore

That's the gif package. I hope someone can fork it and upgrade.

GantMan avatar Aug 01 '23 14:08 GantMan