Update vulnerabilities

[maurice-vgw]

What

• minimist, mkdirp, and @jimp are coming up as a critical severity vulnerability in my project
• Tracked it down to Assetpack/core using msdf-bmfont-xml being dependant on these.
• msdf-bmfont-xml hasn't updated these themselves. Could an override resolve this?

Why

• To pass vulnerability checks on dependant repositories

└─┬ @assetpack/core@1.4.0
  └─┬ msdf-bmfont-xml@2.7.0
    ├─┬ handlebars@4.7.8
    │ └── minimist@1.2.8 <-- 
    ├─┬ jimp@0.3.11
    │ └─┬ @jimp/custom@0.3.9
    │   └─┬ @jimp/core@0.3.9
    │     └─┬ mkdirp@0.5.1
    │       └── minimist@0.0.8 <--
    └─┬ update-notifier@5.1.0
      └─┬ latest-version@5.1.0
        └─┬ package-json@6.5.0
          └─┬ registry-auth-token@4.2.2
            └─┬ rc@1.2.8
              └── minimist@1.2.8 deduped <--

─┬ @assetpack/core@1.4.0
  └─┬ msdf-bmfont-xml@2.7.0
    └─┬ jimp@0.3.11
      └─┬ @jimp/custom@0.3.9
        └─┬ @jimp/core@0.3.9
          └── mkdirp@0.5.1

[albinkong]

I submitted a PR few months back to fix this but I've not heard anything. The change is sadly a bit more complex than just updating the dependencies.

[Zyie]

Hey everyone

Sorry this took so long but this should be resolved by #140. You can test it out using npm i @assetpack/core@dev
I'll make a full release once I've verified making these changes hasn't broken anything

[albinkong]

Great news!

I tested it with our setup and it works. We don't do anything with generated bitmap fonts so I can't comment on that.

Here is our Vite plugin function:

function assetpackPlugin(): PluginOption {
  const config: AssetPackConfig = {
    entry: "./assets",
    output: "./public/assets",
    pipes: [
      ...pixiPipes({
        cacheBust: true,
        resolutions: { default: 1 },
        manifest: { includeMetaData: false, createShortcuts: false },
        texturePacker: {
          texturePacker: {
            padding: 2,
            nameStyle: "short",
            allowTrim: false,
            removeFileExtension: false,
          },
          resolutionOptions: {
            resolutions: { default: 1 },
            maximumTextureSize: 1536,
          },
        },
        audio: {
          outputs: [
            {
              formats: [".mp3"],
              recompress: false,
              options: {
                audioBitrate: 160,
                audioFrequency: 44100,
              },
            },
          ],
        },
      }),
      spineAtlasManifestMod(),
    ],
  };
  let mode: ResolvedConfig["command"];
  let activeAssetPack: AssetPack | undefined;

  return {
    name: "assetpack-plugin",
    configResolved(resolvedConfig) {
      mode = resolvedConfig.command;
    },

    buildStart: async () => {
      if (mode === "build") {
        return new AssetPack(config).run();
      }

      await activeAssetPack?.stop();
      activeAssetPack = new AssetPack(config);
      void activeAssetPack.watch();
    },
    buildEnd: async () => {
      await activeAssetPack?.stop();
      activeAssetPack = undefined;
    },
  };
}