search

arthurbergmz / webpack-pwa-manifest

Progressive Web App Manifest Generator for Webpack, with auto icon resizing and fingerprinting support.
MIT License
514 stars 94 forks source link

audit v4.3.0 - moderate - jimp is no longer maintained #170

Open Lewis-Moten opened 2 years ago

Lewis-Moten commented 2 years ago

Performing an NPM audit raised a moderate severity on jpeg-js, which is nested inside webpack-pwa-manifest@4.3.0. It recommends to roll back to webpack-pwa-manifest@4.0.0. It appears that the latest version ofjimp@0.16.1 is vulnerable, and that the project is no longer being maintained. Can this package be changed to rely on another image package or one of the 712+ forks of jimp?

Jimp was already updated to the latest version and merged in PR #145

lewismoten@Lewiss-MacBook-Pro www % npm audit
# npm audit report

jpeg-js  <0.4.4
Severity: moderate
Infinite loop in jpeg-js - https://github.com/advisories/GHSA-xvf7-4v9q-58w6
fix available via `npm audit fix --force`
Will install webpack-pwa-manifest@4.0.0, which is a breaking change
node_modules/jpeg-js
  @jimp/jpeg  <=0.12.0 || >=0.16.1
  Depends on vulnerable versions of jpeg-js
  node_modules/@jimp/jpeg
    @jimp/types  <=0.11.1-canary.891.908.0 || >=0.16.1
    Depends on vulnerable versions of @jimp/jpeg
    node_modules/@jimp/types
      jimp  0.3.6-alpha.5 - 0.11.1-canary.891.908.0 || >=0.16.1
      Depends on vulnerable versions of @jimp/types
      node_modules/jimp
        webpack-pwa-manifest  >=4.1.0
        Depends on vulnerable versions of jimp
        node_modules/webpack-pwa-manifest

5 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force
deleonio commented 2 years ago

How we can organize a new release?!

Should we fork or could we become a contributor with permission?!