search

papandreou / node-pngquant

The pngquant utility as a readable/writable stream
BSD 3-Clause "New" or "Revised" License
82 stars 23 forks source link

NPM flags many vulnerabilities #99

Open toufali opened 2 years ago

toufali commented 2 years ago

Wondering if this project is still maintained? Upon install I see 12 vulnerabilities (5 moderate, 7 high)

Thanks!

papandreou commented 2 years ago

Sure! Mind sharing some more details? PR welcome.

toufali commented 2 years ago

Sure thing! After npm install pngquant I see the following:

added 227 packages, and audited 1101 packages in 7s

125 packages are looking for funding
  run `npm fund` for details

12 vulnerabilities (5 moderate, 7 high)

(I had 0 vulnerabilities prior to install.)

After running npm audit I get the following report:

# npm audit report

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install pngquant@0.4.0, which is a breaking change
node_modules/bin-wrapper/node_modules/got
node_modules/download/node_modules/got
  download  >=4.0.0
  Depends on vulnerable versions of got
  node_modules/bin-wrapper/node_modules/download
  node_modules/download
    bin-build  >=2.1.2
    Depends on vulnerable versions of download
    node_modules/bin-build
      pngquant-bin  >=3.0.0
      Depends on vulnerable versions of bin-build
      Depends on vulnerable versions of bin-wrapper
      node_modules/pngquant-bin
        pngquant  >=0.5.0
        Depends on vulnerable versions of pngquant-bin
        node_modules/pngquant
    bin-wrapper  >=0.4.0
    Depends on vulnerable versions of bin-version-check
    Depends on vulnerable versions of download
    node_modules/bin-wrapper

semver-regex  <=3.1.3
Severity: high
Regular Expression Denial of Service (ReDOS) - https://github.com/advisories/GHSA-44c6-4v22-4mhx
Regular expression denial of service in semver-regex - https://github.com/advisories/GHSA-4x5v-gmq8-25ch
fix available via `npm audit fix --force`
Will install pngquant@0.4.0, which is a breaking change
node_modules/semver-regex
  find-versions  <=3.2.0
  Depends on vulnerable versions of semver-regex
  node_modules/find-versions
    bin-version  <=4.0.0
    Depends on vulnerable versions of find-versions
    node_modules/bin-version
      bin-version-check  <=4.0.0
      Depends on vulnerable versions of bin-version
      node_modules/bin-version-check

trim-newlines  <3.0.1
Severity: high
Uncontrolled Resource Consumption in trim-newlines - https://github.com/advisories/GHSA-7p7h-4mm5-852v
fix available via `npm audit fix`
node_modules/lpad-align/node_modules/trim-newlines
  meow  3.4.0 - 5.0.0
  Depends on vulnerable versions of trim-newlines
  node_modules/lpad-align/node_modules/meow

12 vulnerabilities (5 moderate, 7 high)

I imagine if we update trim-newlines, semver-regex, and got, most of the work would be done. If I can find time, I may open a PR!

papandreou commented 2 years ago

Cool! Please do :)

toufali commented 2 years ago

PR opened: https://github.com/papandreou/node-pngquant/pull/100