Skip to content
This repository has been archived by the owner on Dec 26, 2023. It is now read-only.

Use latest jimp to fix minimist security vulnerability #121

Closed
Den-dp opened this issue Mar 24, 2020 · 4 comments
Closed

Use latest jimp to fix minimist security vulnerability #121

Den-dp opened this issue Mar 24, 2020 · 4 comments

Comments

@Den-dp
Copy link

Den-dp commented Mar 24, 2020
edited
Loading

Repro:

PS C:\dev\temp> npm init -y
Wrote to C:\dev\temp\package.json:

PS C:\dev\temp> npm i webpack-pwa-manifest
npm WARN deprecated core-js@2.6.11: core-js@<3 is no longer maintained and not recommended for usage due to the number of issues. Please, upgrade your dependencies to the actual version of core-js@3.
...
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN temp@1.0.0 No description
npm WARN temp@1.0.0 No repository field.

+ webpack-pwa-manifest@4.2.0
added 69 packages from 98 contributors and audited 163 packages in 6.198s
found 1 low severity vulnerability
  run `npm audit fix` to fix them, or `npm audit` for details

PS C:\dev\temp> npm audit

                       === npm audit security report ===


                                 Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance


  Low             Prototype Pollution

  Package         minimist

  Patched in      >=0.2.1 <1.0.0 || >=1.2.3

  Dependency of   webpack-pwa-manifest

  Path            webpack-pwa-manifest > jimp > @jimp/custom > @jimp/core >
                  mkdirp > minimist

  More info       https://npmjs.com/advisories/1179

found 1 low severity vulnerability in 163 scanned packages
  1 vulnerability requires manual review. See the full report for details.

PS C:\dev\temp> npm audit fix
npm WARN temp@1.0.0 No description
npm WARN temp@1.0.0 No repository field.

up to date in 0.349s
fixed 0 of 1 vulnerability in 163 scanned packages
  1 vulnerability required manual review and could not be updated

The latest jimp should fix it as per jimp-dev/jimp#857
@Den-dp Den-dp mentioned this issue Mar 24, 2020
Closed
@Den-dp
Copy link
Author

Den-dp commented Jun 9, 2020

So as a temporary solution I released a fix from my fork https://github.com/Den-dp/webpack-pwa-manifest/releases/tag/v4.2.1 🙌

You can install it via:

npm i webpack-pwa-manifest-contrib@4.2.1 -D

Please notice the new name with -contrib at the end, and make sure to change require('webpack-pwa-manifest-contrib') in webpack.config.js.

@wscourge
Copy link

wscourge commented Aug 5, 2020

@Den-dp could you maybe publish it as a PR to this repository?

@Den-dp
Copy link
Author

Den-dp commented Aug 5, 2020

@wscourge #122 PR still exists in this repository but closed because of the reasons.

I hope it's possible to merge it, even if it's closed 😅

@arthurbergmz
Copy link
Owner

Dependencies up-to-date, thank you.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

refactor(jimp): update jimp to fix minimist vulnerability Den-dp/webpack-pwa-manifest
3 participants
@Den-dp @arthurbergmz @wscourge