Mitigating current security vulnerabilities in jimp
A user recently opened an issue regarding open security vulnerabilities through jimp.
The vulnerable package in question is jpeg-js, a dependency of @jimp/jpeg.
The good news is that the vulnerable package itself has been patched in version 0.4.4.
Unfortunately, @jimp/jpeg has not yet been updated, which leads to the following two problems:
The latest version of @jimp/jpeg has pinned jpeg-js to version 0.4.2, which is vulnerable.
Previous versions are specifying a too wide version range (^0.4.0), which would also allow vulnerable versions of jpeg-js.
While we are waiting for a new upstream release of @jimp/jpeg (there's already an open PR) to do a patch release of nut.js, users can mitigate this issue by configuring an override for jpeg-js to force usage of the fixed version.
1{ 2 "name": "override-jpeg-js", 3 "version": "1.0.0", 4 "description": "", 5 "main": "index.js", 6 "scripts": { 7 "test": "echo \"Error: no test specified\" && exit 1" 8 }, 9 "keywords": [], 10 "author": "", 11 "license": "ISC", 12 "overrides": { 13 "@nut-tree/nut-js": { 14 "jpeg-js": "0.4.4" 15 } 16 }, 17 "dependencies": { 18 "@nut-tree/nut-js": "^2.2.0" 19 } 20}
All the best and sorry for the inconveniences
Simon
© 2023