search

lokesh / color-thief

Grab the color palette from an image using just Javascript. Works in the browser and in Node.
https://lokeshdhakar.com/projects/color-thief/
MIT License
12.49k stars 1.31k forks source link

Getting security vulnerability due to get-pixels #246

Open somyarocketium opened 1 year ago

somyarocketium commented 1 year ago

Any better approach to fix this vulnerability ?

┌───────────────┬──────────────────────────────────────────────────────────────┐ │ Moderate │ tough-cookie Prototype Pollution vulnerability │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ tough-cookie │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=4.1.3 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ colorthief │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ colorthief > get-pixels > request > tough-cookie │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://github.com/advisories/GHSA-72xf-g2v4-qvf3 │ └───────────────┴──────────────────────────────────────────────────────────────┘

Yoda-Soda commented 9 months ago

bump

briandonahue commented 7 months ago

@Yoda-Soda @somyarocketium I submitted #254 but thought I'd tag you in case you wanted to check it out and/or provide feedback. Seems like a viable approach if we want to be able to use color-thief