Package vulnerabilities - Githubissues

infinitered / nsfwjs

NSFW detection on the client-side via TensorFlow.js

https://nsfwjs.com/

MIT License

8.06k stars 540 forks source link

Package vulnerabilities #659

Open NViviers opened 2 years ago

NViviers commented 2 years ago

When installing version 2.4.1 NPM reports 4 total vulnerabilities, 3 moderate and 1 high.

node_modules/jpeg-js
  get-pixels-frame-info-update  *
  Depends on vulnerable versions of jpeg-js
  node_modules/get-pixels-frame-info-update
    @nsfw-filter/gif-frames  *
    Depends on vulnerable versions of get-pixels-frame-info-update
    node_modules/@nsfw-filter/gif-frames
      nsfwjs  >=2.3.0
      Depends on vulnerable versions of @nsfw-filter/gif-frames
      node_modules/nsfwjs

Can we get a fix on this?

GantMan commented 2 years ago

Can you get me a list based off of installing master? That way I can know what to get fixed in order to do a fresh release?

Some of these will most-likely resolve with using master.

GantMan commented 2 years ago

I do have a plan to get snyk working on the repo to catch these early, but I hit a few snags.

NViviers commented 2 years ago

Do you mean this?

npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142

Let me know how to get what you want, and I'll be happy to help

GantMan commented 2 years ago

Try release 2.4.2 and let me know if it fixes things.

NViviers commented 2 years ago

npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142 

added 143 packages, and audited 144 packages in 6s

12 packages are looking for funding
  run `npm fund` for details

4 vulnerabilities (3 moderate, 1 high)

GantMan commented 2 years ago

I have Snyk running on my local machine. So now I can see the 4 vulnerabilities and identify when they are removed.

Most critical errors come from the ability to detect GIF frames. If you're not using the classifyGif functionality, these security issues are not a problem.

If you'd like to fix these - can you send a pull-request to https://github.com/nsfw-filter/gif-frames to update their dependencies? When they update, I'll point NSFWJS to the latest.

NViviers commented 2 years ago

Thank you for checking them.. Is this pull request perhaps trying to fix this problem?

GantMan commented 2 years ago

That looks correct. Seems everyone is too busy, hahahaha.

pprathameshmore commented 1 year ago

I am having a vulnerability issue in the request package used by get-pixels-frame-info-update@3.3.2

GantMan commented 1 year ago

That's the gif package. I hope someone can fork it and upgrade.