jimp icon indicating copy to clipboard operation
jimp copied to clipboard

Published 20 hours ago verified publisher icon oliver-moran

jpeg-js dependency is vulnerable

Open stumueller opened this issue 2 years ago • 13 comments

Is your feature request related to a problem? Please describe. Current version of @jimp/jpeg has a dependency on a vulnerable version of jpeg-js, this is causing it to be flagged with our sec-ops

Describe the solution you'd like bump the version of jpeg-js to 0.4.4

stumueller avatar Jun 21 '22 08:06 stumueller

If you're using yarn, this is what you can do to force the version

yarn set resolution jpeg-js@npm:0.4.2 ^0.4.4

shahmirn avatar Jun 21 '22 22:06 shahmirn

Hi We're not using yarn, is there anything else that can be done?

stumueller avatar Jun 22 '22 07:06 stumueller

@stumueller

You can use https://www.npmjs.com/package/npm-force-resolutions if you're using npm

shahmirn avatar Jun 23 '22 12:06 shahmirn

To avoid this vulnerability for now, I use jimp-compact.

https://github.com/unjs/jimp-compact

# npm
npm i jimp-compact

# yarn
yarn add jimp-compact

kenryu42 avatar Jun 23 '22 12:06 kenryu42

@kenryu42 how do you advice Jimb-compact over Jimp ? Jimp seems not supported any-more ...

bacloud23 avatar Jun 25 '22 17:06 bacloud23

@kenryu42 how do you advice Jimb-compact over Jimp ? Jimp seems not supported any-more ...

The main concern at the moment is the vulnerability found in the dependencies of jpeg-js. Jimp-Compact is a minimum size package with all the features of the original Jimp. It does not depend on vulnerable version of jpeg-js, which solves the problem at hand.

The future maintenance of this project is another issue that needs to be discussed.

kenryu42 avatar Jun 25 '22 18:06 kenryu42

To avoid this vulnerability for now, I use jimp-compact.

It doesn't appear to avoid anything. It imports jimp, exactly as it is, with all its dependencies, and then bundles them together with vercel/ncc. You haven't avoided jpeg-js as far as I can tell, but rather, just hidden it.

joeyparrish avatar Jul 14 '22 15:07 joeyparrish

@hipstersmoothie, you made the most recent release and have merged the most recent PRs since the release. Any chance you could bump the jpeg-js dependency and release again?

joeyparrish avatar Jul 14 '22 15:07 joeyparrish

Maybe by merging #1090?

joeyparrish avatar Jul 14 '22 15:07 joeyparrish

I am using npm and just swapped to jimp-compact

GrantBirki avatar Aug 08 '22 23:08 GrantBirki

Yes, you can use jimp-compact if you want to work around the audit without actually fixing the bug. See https://github.com/oliver-moran/jimp/issues/1088#issuecomment-1184607421

Personally, I would prefer to see the underlying issue fixed, rather than game the audit system.

joeyparrish avatar Aug 11 '22 17:08 joeyparrish

If you're using npm 7+, you can use overrides to work around until a fix is published:

"overrides": {
  "jimp": {
    "jpeg-js": "^0.4.4"
  }
}

https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides

aogilvie-indeed avatar Aug 23 '22 00:08 aogilvie-indeed

Hey together, any plans to update jpeg-js to v0.4.4, so we can get rid of its package-resolution?

rafaelmaeuer avatar Sep 08 '22 11:09 rafaelmaeuer