jimp
jimp copied to clipboard
jpeg-js dependency is vulnerable
Is your feature request related to a problem? Please describe. Current version of @jimp/jpeg has a dependency on a vulnerable version of jpeg-js, this is causing it to be flagged with our sec-ops
Describe the solution you'd like bump the version of jpeg-js to 0.4.4
If you're using yarn, this is what you can do to force the version
yarn set resolution jpeg-js@npm:0.4.2 ^0.4.4
Hi We're not using yarn, is there anything else that can be done?
@stumueller
You can use https://www.npmjs.com/package/npm-force-resolutions if you're using npm
To avoid this vulnerability for now, I use jimp-compact.
https://github.com/unjs/jimp-compact
# npm
npm i jimp-compact
# yarn
yarn add jimp-compact
@kenryu42 how do you advice Jimb-compact over Jimp ? Jimp seems not supported any-more ...
@kenryu42 how do you advice Jimb-compact over Jimp ? Jimp seems not supported any-more ...
The main concern at the moment is the vulnerability found in the dependencies of jpeg-js. Jimp-Compact is a minimum size package with all the features of the original Jimp. It does not depend on vulnerable version of jpeg-js, which solves the problem at hand.
The future maintenance of this project is another issue that needs to be discussed.
To avoid this vulnerability for now, I use jimp-compact.
It doesn't appear to avoid anything. It imports jimp, exactly as it is, with all its dependencies, and then bundles them together with vercel/ncc. You haven't avoided jpeg-js as far as I can tell, but rather, just hidden it.
@hipstersmoothie, you made the most recent release and have merged the most recent PRs since the release. Any chance you could bump the jpeg-js dependency and release again?
Maybe by merging #1090?
I am using npm
and just swapped to jimp-compact
Yes, you can use jimp-compact if you want to work around the audit without actually fixing the bug. See https://github.com/oliver-moran/jimp/issues/1088#issuecomment-1184607421
Personally, I would prefer to see the underlying issue fixed, rather than game the audit system.
If you're using npm 7+, you can use overrides
to work around until a fix is published:
"overrides": {
"jimp": {
"jpeg-js": "^0.4.4"
}
}
https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides
Hey together, any plans to update jpeg-js to v0.4.4
, so we can get rid of its package-resolution?