Closed wszydlak closed 3 years ago
I don't think this is an overwhelmingly pressing vulnerability to resolve as spritesmith
and pixelsmith
at typically used for development only. I'll reach out to the get-pixels
maintainer via other channels since they're usually pretty quick in the past
That would be cool if they are able to fix on their side. It would be also cool if you reach them out and get information if they are still maintaining those packages. There is no guarantee that spritesmith is used only as devDependency. It could be also used eg. on production to dynamically generate sprites.
I've heard back from the maintainer and it seems like we should be landing the existing patch PRs soon
get-pixels
and save-pixels
were released with patch versions to loosen and bump the jpeg-js
dependency:
These changes will automatically propagate to pixelsmith
installs (once dependencies upgraded/reinstalled) as we use ~
to automatically catch patch version updates
Thanks for the bug report =)
As get-pixels is ok, save-pixels is not, cause it still will use 0.3.x version, as of ^0.3.2
will not resolve to 0.4.x (as of https://docs.npmjs.com/cli/v6/using-npm/semver#caret-ranges-123-025-004)
So this issue should stay opened @twolfson
Please read that documentation again =/ ^
signifies 0.x.x
so it resolves 0.4.x
just fine
Nope:
In other words, this allows patch and minor updates for versions 1.0.0 and above, patch updates for versions 0.X >=0.1.0, and no updates for versions 0.0.X.
And:
For versions starting with zero, eg. 0.1.0
caret will allow only for patch updates, eg. ^0.1.0
can not resolve into 0.2.0
It allows minor updates only for stable versions starting at least with 1
, eg. ^1.0.0
can resolve 1.3.0
Ugh, inconsistent specs... -_-;; I think we both missed that then (maintainer, myself).
I'll ping them again. Still technically not an issue with pixelsmith
so leaving issue closed
Please let me know if they will fix it.
@twolfson any updates?
@twolfson
Ok, i prepared pull request: https://github.com/scijs/save-pixels/pull/31
If you can reach save-pixels authors please file them this PR.
Thanks
Yea, I told them about reopening https://github.com/scijs/save-pixels/pull/28
I'm guessing the message fell through the cracks. Thanks for opening that new PR =) Will send it over to them. Fingers crossed it works 🤞
Looks like they've landed it and hopefully you should be all set now =) Thanks for bearing with us
Due to jpeg-js vulnerabilities https://nvd.nist.gov/vuln/detail/CVE-2020-8175
pixelsmith
should consider switching to another libraries or to write custom implementation instead ofget-pixels
andsave-pixels
packages. Both of them use outdated jpeg-js version which are affected (0.3.2 and 0.0.4).Those packages seems to be not maintained anymore: https://github.com/scijs/get-pixels/pull/49
According to https://github.com/scijs/get-pixels/pull/49#issuecomment-756520079 maybe
pixelsmith
should replace packages with updated versions?