Mitigating current security vulnerabilities in jimp
The good news is that the vulnerable package itself has been patched in version
Unfortunately, @jimp/jpeg has not yet been updated, which leads to the following two problems:
The latest version of @jimp/jpeg has pinned jpeg-js to version
0.4.2, which is vulnerable.
Previous versions are specifying a too wide version range (
^0.4.0), which would also allow vulnerable versions of jpeg-js.
While we are waiting for a new upstream release of @jimp/jpeg (there's already an open PR) to do a patch release of nut.js, users can mitigate this issue by configuring an override for
jpeg-js to force usage of the fixed version.
All the best and sorry for the inconveniences