-
-
Notifications
You must be signed in to change notification settings - Fork 763
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
npm audit fails about xml2js (from load-bmfont) #1223
Comments
A quick and dirty solution until
and Note: overrides are only available since npm 8.3 |
An alternative / temporary solution could be to create a custom-configured Jimp by using |
FWIW I'm now seeing this vulnerability categorized as |
It's high time for If this won't progress, would the jimp devs fork it or find an alternative, please ? @hipstersmoothie @Marsup @zmedgyes @sjoerd108 |
If someone want to fork those deps into the jimp org and do the update I'll help make it happen |
The nested form did not work for me in npm 9.6.3, though the following did reliably generate the upgraded non-vulnerable
|
@pzrq The nested form works perfectly fine. But there's a catch. Whenever you install a new package, e.g. |
Is there any progress available on the work in this vulnerability? I'm having the same issue here and I'm using v0.22.10. |
No, same issue for me as of now. |
This issue is still occurring for me as well. |
Very strange that nobody bothers to actually fix this #1223 (comment) |
@lorand-horvath from your original workaround, I've tried adding the override to my package.json , deleted package-lock.json and node_modules, but I still see the vulnerability during the yarn audit process. Seems v. 0.4.5 keeps getting pulled in. Am I doing something wrong? |
@RazvanVuscan As per #1223 (comment) :
Then delete Edit: I see you're using yarn instead of npm. I haven't worked much with it. I'm not sure if and since what version of yarn are overrides supported, you'd have to dig a bit and find out. If you do, please let me know! |
@lorand-horvath yeah, I actually use nvm, and my node version is 20.0.0. And yes, I use yarn instead of npm because of speed reasons 😄 . But your suggestions did provide me a solution, and as per https://classic.yarnpkg.com/en/docs/selective-version-resolutions/#toc-how-to-use-it. If you are using yarn, add this to your package.json for a quick and dirty solution:
yarn uses resolutions not overrides 😄 . |
See jimp-dev/jimp#1223, that workaround doesn't seem to have any downsides when running `npm run collect`.
Perhaps jimp should not install all plugins automatically? I have no need to print bitmap fonts on my files, but |
Seems like issue is causing security tools such as Snyk to flag Jimp. Is there a plan for a fix yet? |
Fixed in mattdesl/parse-bmfont-xml#4 |
Hurray! There's nothing left to do here as users can now update their lockfiles without any changes necessary in jimp That being said, I do think it'd be an improvement if all jimp plugins were not automatically installed: #1223 (comment) |
If anyone wants to submit a pr to update our deps I'd approve! not installing all the default plugins is a pretty big breaking change and I don't think breaking changes are too worth it for this project |
🚀 Issue was released in |
On my project, I am using jimp, and just found out that the current latest version : 0.22.7, has a vulnerable dependency.
Here is the output of npm audit :
It seems that @jimp/plugin-print uses :
There is an issue in parse-bmfont-xml to upgrade to xml2js 0.5.0 : mattdesl/parse-bmfont-xml#6
The text was updated successfully, but these errors were encountered: