jimp security advisory

Mitigating current security vulnerabilities in jimp

Tags:#security#advisory

Description

A user recently opened an issue regarding open security vulnerabilities through jimp.

The vulnerable package in question is jpeg-js, a dependency of @jimp/jpeg.

The good news is that the vulnerable package itself has been patched in version 0.4.4.

Unfortunately, @jimp/jpeg has not yet been updated, which leads to the following two problems:

The latest version of @jimp/jpeg has pinned jpeg-js to version 0.4.2, which is vulnerable.
Previous versions are specifying a too wide version range (^0.4.0), which would also allow vulnerable versions of jpeg-js.

Advisory

While we are waiting for a new upstream release of @jimp/jpeg (there's already an open PR) to do a patch release of nut.js, users can mitigate this issue by configuring an override for jpeg-js to force usage of the fixed version.

1{
2  "name": "override-jpeg-js",
3  "version": "1.0.0",
4  "description": "",
5  "main": "index.js",
6  "scripts": {
7    "test": "echo \"Error: no test specified\" && exit 1"
8  },
9  "keywords": [],
10  "author": "",
11  "license": "ISC",
12  "overrides": {
13    "@nut-tree/nut-js": {
14      "jpeg-js": "0.4.4"
15    }
16  },
17  "dependencies": {
18    "@nut-tree/nut-js": "^2.2.0"
19  }
20}

All the best and sorry for the inconveniences

Simon


Last Update: August 27, 2022

© 2022