Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

npm audit shows Vulnerabilites #93

Open
rikers opened this issue Oct 5, 2023 · 7 comments
Open

npm audit shows Vulnerabilites #93

rikers opened this issue Oct 5, 2023 · 7 comments
Labels
bug

Comments

@rikers
Copy link

rikers commented Oct 5, 2023

6 moderate vulnerabilities exist in the current state of the package.
I was able to go down to 4 moderates by adding 2 overrides in my package.json:

"overrides": { "semver": "^6.3.1", "tough-cookie": "^4.1.3" }

The issues comes from the "request" package as shown below:

image

Is there a chance you can address these issues ?
Best regards
@twolfson
Copy link
Owner

twolfson commented Oct 5, 2023

Thanks for reporting this bug! =D It shouuuld be an easy fix, though I'm curious if get-pixels needs a patch or not

I'm low on time today but I should be able to take a look by the end of next week (prob much sooner)

@twolfson
Copy link
Owner

twolfson commented Oct 7, 2023

It looks like we're on the latest [email protected] in pixelsmith =/

There is a PR up for patching the request dependency, scijs/get-pixels#65

But until that gets landed, I think we're stuck with your workaround for now =(

Notes for self on how to reproduce:

# Navigate to `pixelsmith` folder

# Back up existing node_modules (we need a fresh install for `package-lock.json` for auditing)
mv node_modules/ node_modules.bak/

# Install latest modules
npm i --package-lock-only

# Generate audit report
npm audit report --omit dev

@twolfson twolfson added the bug label Oct 7, 2023
@rikers
Copy link
Author

rikers commented Oct 10, 2023

Thank you for the feedback. Duly noted, wait and see :)

@ingalls
Copy link

ingalls commented Sep 10, 2024

@twolfson Now that get-pixels is using the native fetch functionality would it be possible to update packages to latest versions in this library? Happy to put a PR together if you would be willing to review and cut a new release.

@twolfson
Copy link
Owner

@ingalls Oh rad! I'll gladly update spritesmith dependencies if they release it as a major/minor.

Unfortuantely, it looks like that while they landed the PR, there's no new release on npm?

https://www.npmjs.com/package/get-pixels?activeTab=versions

image

@ChrisdeWolf
Copy link
Contributor

Partially related PR for this - #96. Unfortunately get-pixels still hasnt bumped their version on NPM (https://www.npmjs.com/package/get-pixels?activeTab=versions).

@twolfson twolfson mentioned this issue Oct 23, 2024
Merged
@twolfson
Copy link
Owner

Thanks for the fix @ChrisdeWolf! It was too much overreach as a maintainer (e.g. my override can go out of date easily), but y'all can use it as a per-project override if you'd like:

// Inside your package.json
"overrides": { "tough-cookie": "~4.1.3" },

I'll leave this issue open until get-pixels gets a new release and we upgrade to it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@twolfson @ingalls @rikers @ChrisdeWolf