favicons icon indicating copy to clipboard operation
favicons copied to clipboard

Published 20 hours ago verified publisher icon itgalaxy

NPM audit reports high vulnerability coming from to-ico package.

Open lucaskjaero opened this issue 3 years ago • 12 comments

Hi! When using favicons, NPM audit shows that the dependency to-ico is vulnerable to CVE-2020-7661, which is rated as a high severity vulnerability. It also looks like the to-ico project has been abandoned.

Would the right approach be to remove the to-ico dependency? I'm open to submitting a PR if that's the direction you would like to take.

lucaskjaero avatar Oct 08 '20 20:10 lucaskjaero

I dislike it too. But in fact this vulnerability is not harmful because this package doesn't interact with the outside world and is used only locally.

ym-project avatar Oct 19 '20 14:10 ym-project

png-to-ico is a good package I found without the vulnerability. Maybe we should be work on using this package instead?

sclickk avatar Dec 11 '20 21:12 sclickk

Hello guys. Any progress about this issue?

donskov avatar Dec 16 '20 13:12 donskov

I dislike it too. But in fact this vulnerability is not harmful because this package doesn't interact with the outside world and is used only locally.

How comes, then, that we get this vulnerability error when building our projects, because the dependency is still listed in the package-lock.json? It would be nice if you could remove this so we can use it out-of-the-box. Maybe I just don't see the correct way to deal with the npm packages on the other hand?

electrocnic avatar Feb 20 '21 14:02 electrocnic

I dislike it too. But in fact this vulnerability is not harmful because this package doesn't interact with the outside world and is used only locally.

If you really only used those dependencies locally, you would not and should not add them to the dependencies-tree in the package.json, but rather in the devDependencies:

image

electrocnic avatar Feb 20 '21 15:02 electrocnic

@electrocnic I guess you misunderstood locally.. @ym-project probably meant that it does not expose to-ico in any public api method

@sclickk this package looks interesting (it is using @types/node as dependency which will probably lead to issues) but maybe someone could create a pull request to replace to-ico with png-to-ico

jantimon avatar Feb 20 '21 21:02 jantimon

@electrocnic I guess you misunderstood locally.. @ym-project probably meant that it does not expose to-ico in any public api method

Ok thanks for clarification, but I still get build errors, even with --force --legacy-peer-deps... I am not even sure if it's the same issue.

electrocnic avatar Feb 20 '21 23:02 electrocnic

Hi @jantimon , png-to-ico have 3 dependencies:

  • @types/node for TypeScript definition
  • jimp for png decode and image resize
  • minimist for cli usage

steambap avatar Feb 21 '21 02:02 steambap

@steambap won't png-to-ico cause problems as it will always install node typings for node 14?

jantimon avatar Feb 21 '21 12:02 jantimon

@jantimon Typings have no effect on running code. These typings will make your life easier when you are using vs code or other IDEs like Webstorm.

steambap avatar Feb 22 '21 02:02 steambap

I would vote for removing this package at all vs replacing it with another. Looks like .png favicons are supported by all the major browsers and we don't need .ico anymore.

https://caniuse.com/link-icon-png

RomanHotsiy avatar Apr 11 '21 15:04 RomanHotsiy

I dislike it too. But in fact this vulnerability is not harmful because this package doesn't interact with the outside world and is used only locally.

But it hurts "the peace of mind" of mine, so it surely counts as harmful, right?

Of course I came here to make sense: generally it is considered a bad practice to depend on something abandoned (if it is truly). The sooner to "move on", the smaller the pain.

nirui avatar Apr 30 '21 02:04 nirui