Closed oguilleux closed 4 years ago
Decompress has a PR in-progress: https://github.com/kevva/decompress/pull/73
decompress
just merged a fix for this: https://github.com/kevva/decompress/pull/73#issuecomment-607268177
I'm just now realizing that @sindresorhus merged fix for decompress
and is a maintainer of gulp-imagemin
. 🤦♂
Thanks for all the great work Sindre! 👏
@sindresorhus is it a matter of waiting for imagemin
to pull in the update. And then gulp-imagemin
can pull in that latest from imagemin
for this?
I'm not clear as to where decompress
comes in to the dependency tree here.
@colorful-tones decompress
doesn't come into dependency tree of this package directly. It comes as a part of underlying packages. If we want this package to pull those security updates, then we need to have them in each package of dependency tree chain first
Hi there, there seems to be a vulnerability with a dependency :
Arbitrary File Write with Package "decompress" Path : gulp-imagemin > imagemin-optipng > optipng-bin > bin-wrapper > download > decompress Path : gulp-imagemin > imagemin-mozjpeg > mozjpeg > bin-wrapper > download > decompress Path : gulp-imagemin > imagemin-gifsicle > gifsicle > bin-wrapper > download > decompress Path : gulp-imagemin > imagemin-optipng > optipng-bin > bin-build > download > decompress Path : gulp-imagemin > imagemin-mozjpeg > mozjpeg > bin-build > download > decompress Path : gulp-imagemin > imagemin-gifsicle > gifsicle > bin-build > download > decompress Path : gulp-imagemin > imagemin-optipng > optipng-bin > bin-build > decompress Path : gulp-imagemin > imagemin-mozjpeg > mozjpeg > bin-build > decompress Path : gulp-imagemin > imagemin-gifsicle > gifsicle > bin-build > decompress
More info : https://npmjs.com/advisories/1217
Thanks for your work !