search

arthurbergmz / webpack-pwa-manifest

Progressive Web App Manifest Generator for Webpack, with auto icon resizing and fingerprinting support.
MIT License
514 stars 93 forks source link

Use latest jimp to fix minimist security vulnerability #121

Closed Den-dp closed 4 years ago

Den-dp commented 4 years ago

Repro:

PS C:\dev\temp> npm init -y
Wrote to C:\dev\temp\package.json:
PS C:\dev\temp> npm i webpack-pwa-manifest
npm WARN deprecated core-js@2.6.11: core-js@<3 is no longer maintained and not recommended for usage due to the number of issues. Please, upgrade your dependencies to the actual version of core-js@3.
...
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN temp@1.0.0 No description
npm WARN temp@1.0.0 No repository field.

+ webpack-pwa-manifest@4.2.0
added 69 packages from 98 contributors and audited 163 packages in 6.198s
found 1 low severity vulnerability
  run `npm audit fix` to fix them, or `npm audit` for details
PS C:\dev\temp> npm audit

                       === npm audit security report ===

                                 Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance

  Low             Prototype Pollution

  Package         minimist

  Patched in      >=0.2.1 <1.0.0 || >=1.2.3

  Dependency of   webpack-pwa-manifest

  Path            webpack-pwa-manifest > jimp > @jimp/custom > @jimp/core >
                  mkdirp > minimist

  More info       https://npmjs.com/advisories/1179

found 1 low severity vulnerability in 163 scanned packages
  1 vulnerability requires manual review. See the full report for details.
PS C:\dev\temp> npm audit fix
npm WARN temp@1.0.0 No description
npm WARN temp@1.0.0 No repository field.

up to date in 0.349s
fixed 0 of 1 vulnerability in 163 scanned packages
  1 vulnerability required manual review and could not be updated

The latest jimp should fix it as per https://github.com/oliver-moran/jimp/pull/857

Den-dp commented 4 years ago

So as a temporary solution I released a fix from my fork https://github.com/Den-dp/webpack-pwa-manifest/releases/tag/v4.2.1 🙌

You can install it via:

npm i webpack-pwa-manifest-contrib@4.2.1 -D

Please notice the new name with -contrib at the end, and make sure to change require('webpack-pwa-manifest-contrib') in webpack.config.js.

wscourge commented 4 years ago

@Den-dp could you maybe publish it as a PR to this repository?

Den-dp commented 4 years ago

@wscourge #122 PR still exists in this repository but closed because of the reasons.

I hope it's possible to merge it, even if it's closed 😅

arthurbergmz commented 4 years ago

Dependencies up-to-date, thank you.