Vulnerabilities detected with decompress

[oguilleux]

Hi there, there seems to be a vulnerability with a dependency :

Arbitrary File Write with Package "decompress" Path : gulp-imagemin > imagemin-optipng > optipng-bin > bin-wrapper > download > decompress Path : gulp-imagemin > imagemin-mozjpeg > mozjpeg > bin-wrapper > download > decompress Path : gulp-imagemin > imagemin-gifsicle > gifsicle > bin-wrapper > download > decompress Path : gulp-imagemin > imagemin-optipng > optipng-bin > bin-build > download > decompress Path : gulp-imagemin > imagemin-mozjpeg > mozjpeg > bin-build > download > decompress Path : gulp-imagemin > imagemin-gifsicle > gifsicle > bin-build > download > decompress Path : gulp-imagemin > imagemin-optipng > optipng-bin > bin-build > decompress Path : gulp-imagemin > imagemin-mozjpeg > mozjpeg > bin-build > decompress Path : gulp-imagemin > imagemin-gifsicle > gifsicle > bin-build > decompress
More info : https://npmjs.com/advisories/1217

Thanks for your work !

[Ionaru]

Decompress has a PR in-progress: https://github.com/kevva/decompress/pull/73

[colorful-tones]

decompress just merged a fix for this: https://github.com/kevva/decompress/pull/73#issuecomment-607268177

[colorful-tones]

I'm just now realizing that @sindresorhus merged fix for decompress and is a maintainer of gulp-imagemin . 🤦‍♂

Thanks for all the great work Sindre! 👏

[colorful-tones]

@sindresorhus is it a matter of waiting for imagemin to pull in the update. And then gulp-imagemin can pull in that latest from imagemin for this?

I'm not clear as to where decompress comes in to the dependency tree here.

[tjbulick]

@colorful-tones decompress doesn't come into dependency tree of this package directly. It comes as a part of underlying packages. If we want this package to pull those security updates, then we need to have them in each package of dependency tree chain first