favicons
favicons copied to clipboard
NPM audit reports high vulnerability coming from to-ico package.
Hi! When using favicons, NPM audit shows that the dependency to-ico
is vulnerable to CVE-2020-7661, which is rated as a high severity vulnerability. It also looks like the to-ico
project has been abandoned.
Would the right approach be to remove the to-ico
dependency? I'm open to submitting a PR if that's the direction you would like to take.
I dislike it too. But in fact this vulnerability is not harmful because this package doesn't interact with the outside world and is used only locally.
png-to-ico
is a good package I found without the vulnerability. Maybe we should be work on using this package instead?
Hello guys. Any progress about this issue?
I dislike it too. But in fact this vulnerability is not harmful because this package doesn't interact with the outside world and is used only locally.
How comes, then, that we get this vulnerability error when building our projects, because the dependency is still listed in the package-lock.json
? It would be nice if you could remove this so we can use it out-of-the-box. Maybe I just don't see the correct way to deal with the npm packages on the other hand?
I dislike it too. But in fact this vulnerability is not harmful because this package doesn't interact with the outside world and is used only locally.
If you really only used those dependencies locally, you would not and should not add them to the dependencies
-tree in the package.json
, but rather in the devDependencies
:
@electrocnic I guess you misunderstood locally.. @ym-project probably meant that it does not expose to-ico
in any public api method
@sclickk this package looks interesting (it is using @types/node as dependency which will probably lead to issues) but maybe someone could create a pull request to replace to-ico
with png-to-ico
@electrocnic I guess you misunderstood locally.. @ym-project probably meant that it does not expose
to-ico
in any public api method
Ok thanks for clarification, but I still get build errors, even with --force --legacy-peer-deps
...
I am not even sure if it's the same issue.
Hi @jantimon , png-to-ico
have 3 dependencies:
- @types/node for TypeScript definition
- jimp for png decode and image resize
- minimist for cli usage
@steambap won't png-to-ico
cause problems as it will always install node typings for node 14
?
@jantimon Typings have no effect on running code. These typings will make your life easier when you are using vs code or other IDEs like Webstorm.
I would vote for removing this package at all vs replacing it with another. Looks like .png
favicons are supported by all the major browsers and we don't need .ico
anymore.
https://caniuse.com/link-icon-png
I dislike it too. But in fact this vulnerability is not harmful because this package doesn't interact with the outside world and is used only locally.
But it hurts "the peace of mind" of mine, so it surely counts as harmful, right?
Of course I came here to make sense: generally it is considered a bad practice to depend on something abandoned (if it is truly). The sooner to "move on", the smaller the pain.