consider updating the dependencies to get rid of some vulnerabilities

colorjs / get-image-colors

Extract colors from GIF, PNG, JPG, and SVG images

347 stars 46 forks source link

consider updating the dependencies to get rid of some vulnerabilities #31

Closed quiquelhappy closed 1 year ago

quiquelhappy commented 2 years ago

as of right now, this package is adding 5 severe vulnerabilities to my project, itd be nice if the dependencies were updated :)

quiquelhappy commented 2 years ago

I tried to update the dependencies, but there vulnerabilities are still there: it seems like get-svg-colors is causing the problems, after updating and trying an audit fix / audit fix --force

No fix available
node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/css-select
    cheerio  0.19.0 - 1.0.0-rc.3
    Depends on vulnerable versions of css-select
    node_modules/cheerio
      get-svg-colors  *
      Depends on vulnerable versions of cheerio
      node_modules/get-svg-colors

6 vulnerabilities (2 moderate, 4 high)

philwhln commented 1 year ago

We're hitting this too

get-image-colors@4.0.1 requires nth-check@~1.0.1 via a transitive dependency on css-select@1.2.0

Need nth-check >= 2.0.1

adityapatadia commented 1 year ago

@zeke a nudge to fix it.

zeke commented 1 year ago

I'm busy, but I will accept a PR with these updates! 🙏🏼

adityapatadia commented 1 year ago

PR: https://github.com/colorjs/get-svg-colors/pull/82

zeke commented 1 year ago

Just published 2.0.1 with updated cheerio. See https://github.com/colorjs/get-svg-colors/pull/82#issuecomment-1670520087 🚀

Thanks @adityapatadia. 🙏🏼

Gonna close this issue because it's old, but happy to accept any other PRs that update the deps as needed. 👍🏼