Getting a security warning regarding jpeg-js which is a dependency of react-native-bootsplash

[patrick-domegan-rbc]

Thank you for react-native-bootsplash! Just a post about a github security alert we are passing along.

Getting a security warning regarding jpeg-js which is a dependency of react-native-bootsplash

CVE-2020-8175
moderate severity
Vulnerable versions: < 0.4.0
Patched version: 0.4.0

Uncontrolled resource consumption in jpeg-js before 0.4.0 may allow attacker to launch denial of service attacks using specially a crafted JPEG image.

(2.2.5 has same issue)

💻 My environment

• react-native-bootsplash version: 2.2.4
• react-native version: 0.62.2
• Platform: both
• OS version: N/A
• Device: N/A
• Simulator: N/A
• Android Studio version: N/A
• Android buildToolsVersion: N/A
• Xcode version: N/A

🕵️‍♂️ Reproducing the issue

Install react-native-bootsplash to your RN app

run npm ls jpeg-js

└─┬ [email protected]
  └─┬ [email protected]
    └─┬ @jimp/[email protected]
      └─┬ @jimp/[email protected]
        └── [email protected] 

🤞Solution

Upgrade to v0.12.1 of jimp
(v0.12.1 => jimp-dev/jimp#892)

[zoontek]

@patrick-domegan-rbc Hi. Could you create the PR?

[zoontek]

Done on 3.0.0 branch: https://github.com/zoontek/react-native-bootsplash/tree/3.0.0