png-to-ico icon indicating copy to clipboard operation
png-to-ico copied to clipboard

Published 20 hours ago verified publisher icon steambap

Vulnerability in `jimp>@jimp/types>@jimp/jpeg>jpeg-js` (High)

Open yurivangeffen opened this issue 2 years ago • 1 comments

There seems to be a vulnerability deeply nested in the jimp package: https://github.com/advisories/GHSA-xvf7-4v9q-58w6. Unfortunately this seems to not be maintained, but maybe we can force a different version of jpeg-js somehow?

yurivangeffen avatar Jun 22 '22 10:06 yurivangeffen

The only thing I can do is to migrate my code to only use pngjs in the future, since I'm only using the png part of the library. For now, you have to experiment with your local lock file to somehow force update jpeg-js.

steambap avatar Jun 22 '22 12:06 steambap

@steambap it sounds like it's possible to switch to jimp-compact to avoid the audit triggering on the vulnerability. Would that be possible here?

https://github.com/oliver-moran/jimp/issues/1088#issuecomment-1212287490

(I am the author of a library depending on this library, hoping we can get this vulnerability fixed shortly :) )

NJAldwin avatar Aug 22 '22 23:08 NJAldwin

#17 I won't switch to jump-compact. I'll switch to pngjs.

steambap avatar Aug 23 '22 07:08 steambap