Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

jpeg-js dependency is vulnerable #1088

Closed
stumueller opened this issue Jun 21, 2022 · 14 comments · Fixed by #1131
Closed

jpeg-js dependency is vulnerable #1088

stumueller opened this issue Jun 21, 2022 · 14 comments · Fixed by #1131
Labels
released This issue/pull request has been released.

Comments

@stumueller
Copy link

Is your feature request related to a problem? Please describe.
Current version of @jimp/jpeg has a dependency on a vulnerable version of jpeg-js, this is causing it to be flagged with our sec-ops

Describe the solution you'd like
bump the version of jpeg-js to 0.4.4
@shahmirn
Copy link

If you're using yarn, this is what you can do to force the version

yarn set resolution jpeg-js@npm:0.4.2 ^0.4.4

@stumueller
Copy link
Author

Hi We're not using yarn, is there anything else that can be done?

@yurivangeffen yurivangeffen mentioned this issue Jun 22, 2022
Closed
@shahmirn
Copy link

@stumueller

You can use https://www.npmjs.com/package/npm-force-resolutions if you're using npm

@shahmirn shahmirn mentioned this issue Jun 23, 2022
Closed
4 tasks
@kenryu42
Copy link

To avoid this vulnerability for now, I use jimp-compact.

https://github.com/unjs/jimp-compact

# npm
npm i jimp-compact

# yarn
yarn add jimp-compact

@ghost
Copy link

ghost commented Jun 25, 2022

@kenryu42 how do you advice Jimb-compact over Jimp ? Jimp seems not supported any-more ...

@kenryu42
Copy link

@kenryu42 how do you advice Jimb-compact over Jimp ? Jimp seems not supported any-more ...

The main concern at the moment is the vulnerability found in the dependencies of jpeg-js. Jimp-Compact is a minimum size package with all the features of the original Jimp. It does not depend on vulnerable version of jpeg-js, which solves the problem at hand.

The future maintenance of this project is another issue that needs to be discussed.

@paulcoxsnh paulcoxsnh mentioned this issue Jul 1, 2022
Merged
@joeyparrish
Copy link

To avoid this vulnerability for now, I use jimp-compact.

It doesn't appear to avoid anything. It imports jimp, exactly as it is, with all its dependencies, and then bundles them together with vercel/ncc. You haven't avoided jpeg-js as far as I can tell, but rather, just hidden it.

@joeyparrish
Copy link

@hipstersmoothie, you made the most recent release and have merged the most recent PRs since the release. Any chance you could bump the jpeg-js dependency and release again?

@joeyparrish
Copy link

Maybe by merging #1090?

jacksonrya added a commit to jacksonrya/petition-scan-processor that referenced this issue Aug 4, 2022
@jacksonrya
'Fix' jimp?
7a31a6a 
Still infinite loop risk in dependency, jpeg-js. Probably not an issue
for me?...

Follow through at jimp-dev/jimp#1088
@GrantBirki
Copy link

I am using npm and just swapped to jimp-compact

@joeyparrish
Copy link

Yes, you can use jimp-compact if you want to work around the audit without actually fixing the bug. See #1088 (comment)

Personally, I would prefer to see the underlying issue fixed, rather than game the audit system.

@NJAldwin NJAldwin mentioned this issue Aug 22, 2022
Closed
@ghost
Copy link

ghost commented Aug 23, 2022
edited by ghost
Loading

If you're using npm 7+, you can use overrides to work around until a fix is published:

"overrides": {
  "jimp": {
    "jpeg-js": "^0.4.4"
  }
}

https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides

@mykola-mokhnach mykola-mokhnach mentioned this issue Aug 23, 2022
Closed
@rafaelmaeuer
Copy link

Hey together, any plans to update jpeg-js to v0.4.4, so we can get rid of its package-resolution?

@OndrejSpanel OndrejSpanel mentioned this issue Sep 13, 2022
Merged
@Brakebein Brakebein mentioned this issue Jan 11, 2023
Open
@hipstersmoothie hipstersmoothie mentioned this issue Feb 4, 2023
Merged
@hipstersmoothie
Copy link
Collaborator

🚀 Issue was released in v0.17.0 🚀

@hipstersmoothie hipstersmoothie added the released This issue/pull request has been released. label Feb 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
released This issue/pull request has been released.
Projects
None yet
Milestone
No milestone
7 participants
@hipstersmoothie @shahmirn @rafaelmaeuer @joeyparrish @stumueller @GrantBirki @kenryu42