Abandon usage of get-pixels and save-pixels due to vulnerabilities

[wszydlak]

Due to jpeg-js vulnerabilities https://nvd.nist.gov/vuln/detail/CVE-2020-8175 pixelsmith should consider switching to another libraries or to write custom implementation instead of get-pixels and save-pixels packages. Both of them use outdated jpeg-js version which are affected (0.3.2 and 0.0.4).

Those packages seems to be not maintained anymore: https://github.com/scijs/get-pixels/pull/49

According to https://github.com/scijs/get-pixels/pull/49#issuecomment-756520079 maybe pixelsmith should replace packages with updated versions?

[twolfson]

I don't think this is an overwhelmingly pressing vulnerability to resolve as spritesmith and pixelsmith at typically used for development only. I'll reach out to the get-pixels maintainer via other channels since they're usually pretty quick in the past

[wszydlak]

That would be cool if they are able to fix on their side. It would be also cool if you reach them out and get information if they are still maintaining those packages. There is no guarantee that spritesmith is used only as devDependency. It could be also used eg. on production to dynamically generate sprites.

[twolfson]

I've heard back from the maintainer and it seems like we should be landing the existing patch PRs soon

[twolfson]

get-pixels and save-pixels were released with patch versions to loosen and bump the jpeg-js dependency:

• https://github.com/scijs/get-pixels/pull/49
• https://github.com/scijs/save-pixels/pull/24

These changes will automatically propagate to pixelsmith installs (once dependencies upgraded/reinstalled) as we use ~ to automatically catch patch version updates

Thanks for the bug report =)

[wszydlak]

As get-pixels is ok, save-pixels is not, cause it still will use 0.3.x version, as of ^0.3.2 will not resolve to 0.4.x (as of https://docs.npmjs.com/cli/v6/using-npm/semver#caret-ranges-123-025-004)

So this issue should stay opened @twolfson

[twolfson]

Please read that documentation again =/ ^ signifies 0.x.x so it resolves 0.4.x just fine

[wszydlak]

Nope:

 In other words, this allows patch and minor updates for versions 1.0.0 and above, patch updates for versions 0.X >=0.1.0, and no updates for versions 0.0.X.

And:

[wszydlak]

For versions starting with zero, eg. 0.1.0 caret will allow only for patch updates, eg. ^0.1.0 can not resolve into 0.2.0

It allows minor updates only for stable versions starting at least with 1, eg. ^1.0.0 can resolve 1.3.0

[twolfson]

Ugh, inconsistent specs... -_-;; I think we both missed that then (maintainer, myself).

I'll ping them again. Still technically not an issue with pixelsmith so leaving issue closed

[wszydlak]

Please let me know if they will fix it.

[wszydlak]

@twolfson any updates?

[wszydlak]

@twolfson

Ok, i prepared pull request: https://github.com/scijs/save-pixels/pull/31

If you can reach save-pixels authors please file them this PR.

Thanks

[twolfson]

Yea, I told them about reopening https://github.com/scijs/save-pixels/pull/28

I'm guessing the message fell through the cracks. Thanks for opening that new PR =) Will send it over to them. Fingers crossed it works 🤞

[twolfson]

Looks like they've landed it and hopefully you should be all set now =) Thanks for bearing with us