favicons icon indicating copy to clipboard operation
favicons copied to clipboard

Published 20 hours ago verified publisher icon itgalaxy

Next release?

Open andy128k opened this issue 3 years ago • 10 comments

The latest version of favicons appears in npm audit as a vulnerable to different kinds of attack because of its dependencies. It seems, code in master branch got rid of those issues (by dropping of to-ico and jimp). It would be great to have a release and solve these issues for downstream.

Additionally, this package is declared as gulpfriendly and has tests of usage it with gulp. But there are still 7 issues reported by npm audit which are linked to gulp.

It there some list of issues which block next release?

andy128k avatar Nov 11 '21 16:11 andy128k

I think we will finish browserslist support, but we can do release right now if you want, even more I can add permission to do release, so you can do it without me

alexander-akait avatar Nov 11 '21 16:11 alexander-akait

I am not sure if browserlist is actually needed.

  1. Android Chrome icons depend on device's DPI, not on a browser's version
  2. Apple icons and splash screens also depend on device, not a browser.
  3. Windows platform is not a browser.
  4. Yandex browser wants a single image and this may be turned on/off completely.
  5. For standard icons favicons generates bare minimum.

andy128k avatar Nov 11 '21 16:11 andy128k

@andy128k Can you give me npm name?

alexander-akait avatar Nov 11 '21 16:11 alexander-akait

Found you, added https://www.npmjs.com/package/favicons/access, feel free to do release :+1:

alexander-akait avatar Nov 11 '21 16:11 alexander-akait

Any update on when the new release will be available? The audit headaches from the to-ico dependency are driving me nuts!

mureni avatar Dec 13 '21 20:12 mureni

@mureni A version 7.0.0-beta.1 is already released. Here is also a PR to one of downstream packages to test it.

andy128k avatar Dec 13 '21 20:12 andy128k

What was the decision for 7.0.0-beta.1's dist/ files to move over to being ESModules vs. well established require like on 6.2.2? I've got a downstream package (node 14.17.0) that I for the life of me can't seem to get working using 7.0.0-beta.1 cause dist/ is now all ESModules.

drolsen avatar Jan 20 '22 20:01 drolsen

See #355

andy128k avatar Jan 20 '22 22:01 andy128k

What's the overall status of this? Been quite some time, is this scheduled to be part of the main release sometime soon? Thanks.

nrthbound avatar Feb 02 '22 00:02 nrthbound 

yarn audit v1.22.17
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ critical      │ Prototype Pollution in minimist                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=1.2.6                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ favicons                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ favicons > to-ico > resize-img > jimp > mkdirp > minimist    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1067342                     │
└───────────────┴──────────────────────────────────────────────────────────────┘

An update would really be encouraged.

synedra-mpe avatar Apr 13 '22 08:04 synedra-mpe