search

amishshah / prism-media

Easily transcode media using Node.js 🎶
https://amishshah.github.io/prism-media
Apache License 2.0
239 stars 53 forks source link

Update of dependent package "@discordjs/opus" #92

Closed kokarare1212 closed 2 years ago

kokarare1212 commented 2 years ago

Issue:

It uses the dependency package "ansi-regex" (https://github.com/advisories/GHSA-93q8-gq69-wqmw), which is vulnerable due to an outdated version of the dependency package "@discordjs/opus". The version of the dependent package "@discordjs/opus" needs to be updated.

# npm audit report

ansi-regex  >2.1.1 <5.0.1
Severity: moderate
 Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix`
node_modules/ansi-regex
  strip-ansi  4.0.0 - 5.2.0
  Depends on vulnerable versions of ansi-regex
  node_modules/strip-ansi
    string-width  2.1.0 - 4.1.0
    Depends on vulnerable versions of strip-ansi
    node_modules/string-width
`-- @discordjs/opus@0.5.3
  `-- @discordjs/node-pre-gyp@0.4.2
    `-- npmlog@5.0.1
      `-- gauge@3.0.1
        `-- strip-ansi@4.0.0
          `-- ansi-regex@3.0.0

Further details:

fredkilbourn commented 2 years ago

This issue is further upstream and needs to be fixed first: https://github.com/discordjs/node-pre-gyp/issues/5

fredkilbourn commented 2 years ago

The current versions of @discordjs/opus are also vulnerable. Once @discordjs/node-pre-gyp is fixed @discordjs/opus will also need to reference that fix. Once that happens prism-media can pull in the update.

kokarare1212 commented 2 years ago

Yes, I understand. I will wait until a fixed version is released.

darahask commented 2 years ago

@fredkilbourn any update on this issue?

fredkilbourn commented 2 years ago

I think they fixed it a while ago...

sasjafor commented 2 years ago

What exactly is this waiting on? Locally running npm i with @discordjs/opus updated to 0.8.0 seems to work. Can I create a PR to get this finally resolved?

fredkilbourn commented 2 years ago

This issue is referencing an issue from last year, not related to the CVE from this month.

fredkilbourn commented 2 years ago

Opened an issue for the new CVE: https://github.com/amishshah/prism-media/issues/105

This issue #92 should be closed.

amishshah commented 2 years ago

Fixed in v1.3.4