jimp security advisory


A user recently opened an issue regarding open security vulnerabilities through jimp.

The vulnerable package in question is jpeg-js, a dependency of @jimp/jpeg.

The good news is that the vulnerable package itself has been patched in version 0.4.4.

Unfortunately, @jimp/jpeg has not yet been updated, which leads to the following two problems:

The latest version of @jimp/jpeg has pinned jpeg-js to version 0.4.2, which is vulnerable. Previous versions are specifying a too wide version range (^0.4.0), which would also allow vulnerable versions of jpeg-js.


While we are waiting for a new upstream release of @jimp/jpeg (there's already an open PR) to do a patch release of nut.js, users can mitigate this issue by configuring an override for jpeg-js to force usage of the fixed version.

  "name": "override-jpeg-js",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  "keywords": [],
  "author": "",
  "license": "ISC",
  "overrides": {
    "@nut-tree/nut-js": {
      "jpeg-js": "0.4.4"
  "dependencies": {
    "@nut-tree/nut-js": "^2.2.0"

All the best and sorry for the inconveniences


Release v2.2.1