SECURITY: npm audit found an issue in request dep.

[houd1ni]

Hi! See https://github.com/ericblade/quagga2/issues/494

[SVillette]

@mikolalysenko any chance fixing the security issue ? Is this project still maintained ?

[houd1ni]

@SVillette hi! I'm about to fix it in a special fork as told in that attached issue. Thanks for reminding. Will post it here with mention.

[m6a-UdS]

Any update? 👀

[houd1ni]

Any update? 👀

Almost got back here. 🐌

[donmccurdy]

For anyone blocked on this issue — I'm maintaining a near-equivalent library, ndarray-pixels, based on get-pixels and save-pixels. Some differences to note:

• On web, ndarray-pixels uses Canvas2D and imports no dependencies. Browserify is no longer required.
• On Node.js, ndarray-pixels now uses sharp. Sharp includes support for considerably more image formats.
• Input must be a Uint8Array or Buffer. Support for loading URLs, Data URIs, and filesystem paths has been removed. I recommend using environment-native APIs for that, avoiding the class of problem in this thread.
• getPixels returns a Promise<ndarray<Uint8Array>>, and no longer accepts a callback.

Example:

import { getPixels, savePixels } from 'ndarray-pixels';
import fs from 'node:fs';

// read
const pixels = await getPixels(bytesIn, 'image/png'); // Uint8Array -> ndarray

// modify
for (let i = 0; i < pixels.shape[0]; ++i) {
  for (let j = 0; j < pixels.shape[1]; ++j) {
    pixels.set(i, j, 255);
  }
}

// write
const bytesOut = await savePixels(pixels, 'image/png'); // ndarray -> Uint8Array

[houd1ni]

@donmccurdy can it be used with https://github.com/ericblade/quagga2/issues/494 ?

[donmccurdy]

@houd1ni Yes, looking at the usage here...

https://github.com/ericblade/quagga2/blob/2f2cd190a02cae6d9b847b938aab43e8630ff2bb/src/input/input_stream/input_stream.ts#L46-L50

... you'd just need to fetch the URL first (using fetch() or some other library), then pass the Uint8Array or Buffer result into getPixels, which returns Promise<ndarray>.

[the-marolie]

@dy - I see that request have been removed with this PR - https://github.com/scijs/get-pixels/pull/67 But the npm release still has the old code. Any plan on releasing the new package to npm? Would solve a lot of security issues reported by audit in our project