Open Poikilos opened 3 years ago
I got this one from dependabot: https://github.com/advisories/GHSA-w7q9-p3jq-fmhm
https://github.com/poikilos/artspatter/security/dependabot/yarn.lock/jpeg-js/open:
Dependabot cannot update jpeg-js to a non-vulnerable version The latest possible version that can be installed is 0.2.0 because of the following conflicting dependency: node-thumbnail@0.15.0 requires jpeg-js@^0.2.0 via a transitive dependency on jimp@0.2.27 The earliest fixed version is 0.4.0. View logs or learn more about troubleshooting Dependabot errors. 1 jpeg-js vulnerability found in yarn.lock on Dec 23, 2020 Remediation Upgrade jpeg-js to version 0.4.0 or later. For example: jpeg-js@^0.4.0: version "0.4.0" Always verify the validity and compatibility of suggestions with your codebase. Details CVE-2020-8175 moderate severity Vulnerable versions: < 0.4.0 Patched version: 0.4.0 Uncontrolled resource consumption in jpeg-js before 0.4.0 may allow attacker to launch denial of service attacks using specially a crafted JPEG image.
The latest possible version that can be installed is 0.2.0 because of the following conflicting dependency:
0.2.0
node-thumbnail@0.15.0 requires jpeg-js@^0.2.0 via a transitive dependency on jimp@0.2.27
The earliest fixed version is 0.4.0.
0.4.0
View logs or learn more about troubleshooting Dependabot errors.
Upgrade jpeg-js to version 0.4.0 or later. For example:
jpeg-js@^0.4.0: version "0.4.0"
Always verify the validity and compatibility of suggestions with your codebase.
moderate severity
Vulnerable versions: < 0.4.0
Patched version: 0.4.0
Uncontrolled resource consumption in jpeg-js before 0.4.0 may allow attacker to launch denial of service attacks using specially a crafted JPEG image.
jpeg-js
I got this one from dependabot: https://github.com/advisories/GHSA-w7q9-p3jq-fmhm
https://github.com/poikilos/artspatter/security/dependabot/yarn.lock/jpeg-js/open: