known issue: high severity vulnerabilities tracing to `jpeg-js`

[changethe]

first of all: thanks a lot for this plugin!

when installing it via npm, it gives a warning for 6 high severity vulnerabilities.

i'll probably use it anyway, but maybe it would be a good idea to fix them at some stage :)

[NJAldwin]

Thanks for the note! When I wrote this, there were no vulnerabilities, but it looks like jpeg-js (from png-to-ico) now has an infinite loop vulnerability.

This should not be unsafe for running this plugin, as the plugin is only active at build time, so it wouldn't cause a DoS on a website.

Regardless, I will look into fixing this shortly. Thanks again for raising it.

$ npm install --save-dev eleventy-plugin-gen-favicons                                                                                                                                                                                     [19:07:01]

added 118 packages, and audited 119 packages in 15s

9 packages are looking for funding
  run `npm fund` for details

6 high severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.

$ npm audit                                                                                                                                                                                                                               [19:07:28]
# npm audit report

jpeg-js  <0.4.4
Severity: high
Infinite loop in jpeg-js - https://github.com/advisories/GHSA-xvf7-4v9q-58w6
No fix available
node_modules/jpeg-js
  @jimp/jpeg  <=0.12.0 || >=0.16.1
  Depends on vulnerable versions of jpeg-js
  node_modules/@jimp/jpeg
    @jimp/types  <=0.11.1-canary.891.908.0 || >=0.16.1
    Depends on vulnerable versions of @jimp/jpeg
    node_modules/@jimp/types
      jimp  0.3.6-alpha.5 - 0.11.1-canary.891.908.0 || >=0.16.1
      Depends on vulnerable versions of @jimp/types
      node_modules/jimp
        png-to-ico  >=2.0.1
        Depends on vulnerable versions of jimp
        node_modules/png-to-ico
          eleventy-plugin-gen-favicons  *
          Depends on vulnerable versions of png-to-ico
          node_modules/eleventy-plugin-gen-favicons

6 high severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.

[NJAldwin]

There is a related issue in the png-to-ico project: https://github.com/steambap/png-to-ico/issues/19

and the related issue in jimp: https://github.com/oliver-moran/jimp/issues/1088

It sounds like the png-to-ico library has not been updated yet, so I can't simply bump the version.

However, as the author confirms there, only the png part of the library is used, so hopefully the library is not susceptible to this issue.

I will investigate whether I can manually force a different version of jpeg-js, or maybe at least swap out jimp-compact as described in the issue above. Ideally, this would be fixed by the jimp project updating to a newer version of jpeg-js. Not sure what the timeline is on that :( .

[NJAldwin]

png-to-ico has been updated. I will release a new version picking that up this week.

https://github.com/steambap/png-to-ico/pull/21

[NJAldwin]

I have released version 1.1.1 which now shows no vulnerabilities (commit c4c9572f9d7d46427d631682faac5c7d251bcdf9 ). Thanks again!