fixes deprecated & vulnerable phin dependency version

DevonAM commented 7 months ago

What kind of change does this PR introduce? (check at least one)

[x ] Bugfix (non-breaking change which fixes an issue)
[ ] Feature (non-breaking change which adds functionality)
[ ] Code style update
[ ] Refactor (refactoring or adding test which isn't a fix or add a feature)
[ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
[ ] Build-related changes
[x ] Other, please describe:

" Updated the phin dependency to a non-deprecated, non-vulnerable version and updated the usage.

Does this PR introduce a breaking change? (check one)

[ ] Yes
[x ] No

Did you test your solution?

[ x] I lightly tested it in one browser
[ ] I deeply tested it in several browsers
[ ] I wrote tests around it (unit tests, integration tests, E2E tests)

The original test.js passed all tests.

Problem Description

The dependency phin@2.9.1 is deprecated and is marked as a vulnerability.

Solution Description

Updated phin to a non-deprecated version, 3.7.1. The phin function no longer accepts a callback function, it returns an object of type Promise<http.serverResponse>, updated the call to await this function call and only pass in opt. The result is passed into a refactored version of handleData.

Side Effects, Risks, Impact

[ ] N/A

Additional comments: Fixes #11

theneva commented 5 months ago

This seems to hit quite a few people depending on jimp, and I'd love for this to land… @mattdesl are you still(?) in charge of this project? :smile:

mattdesl commented 5 months ago

Unfortunately, it looks like I've been removed from all Experience-Monks repositories, so I'd have to fork this repo and re-publish a patch (I still hold the npm package).

theneva commented 5 months ago

Ergh, I'm sorry 😅 sounds pretty straightforward though, are you up for it?

njam3 commented 4 months ago

@mattdesl I've added you to the repo if you are up to continue maintaining it

mattdesl commented 4 months ago

This should be fixed now in the latest commit and npm publish, let me know if that works. I've tweaked your PR slightly to stick with error handling and a callback-style approach (function continues to return void), and added a server test.

Ideally this module should be repurposed to get rid of XHR/server/request features altogether, which would reduce its surface area for attacks and such, but I'm not sure how that would break dependants who might want/expect this feature to exist after so long.

emericcolombe commented 4 months ago

Thanks a lot for the awesome work @mattdesl ! 🥳 nice to have snyk finally say that it detected no vulnerabilities !

(Btw I saw that there is no tag on the github repo for 1.4.2)

mattdesl commented 4 months ago

Tag pushed!

Experience-Monks / load-bmfont