Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A vulnerability introduced in your package #1031

Closed
paimon0715 opened this issue Jul 23, 2021 · 1 comment · Fixed by #1285
Closed

A vulnerability introduced in your package #1031

paimon0715 opened this issue Jul 23, 2021 · 1 comment · Fixed by #1285
Labels
help wanted released This issue/pull request has been released. Security Vulnerability

Comments

@paimon0715
Copy link

Hi, @hipstersmoothie @oliver-moran, there is a vulnerability introduced in your package @jimp/core:

Issue Description

A vulnerability CVE-2020-7598 detected in package minimist(<0.2.1,>=1.0.0 <1.2.3) is transitively referenced by @jimp/core@0.6.8. We noticed that such a vulnerability has been removed since @jimp/core@0.9.6.

However, @jimp/core's popular previous version @jimp/core@0.6.8 (42,198 downloads per week) is still transitively referenced by a large amount of latest versions of active and popular downstream projects (about 384 downstream projects, e.g., miniprogram-automator 0.10.0, @refract-cms/server 0.18.6, resize-optimize-images 1.1.2, gatsby-theme-code-notes 2.3.0, thing-it-qr-code 1.0.10, gatsby-theme-code-notes@2.3.0, etc.).
As such, issue CVE-2020-7598 can be propagated into these downstream projects and expose security threats to them.

These projects cannot easily upgrade @jimp/core from version 0.6.8 to (>=0.9.6). For instance, @jimp/core@0.6.8 is introduced into the above projects via the following package dependency paths:
(1)gatsby-theme-code-notes@2.3.0 ➔ gatsby-plugin-og-image@0.0.1 ➔ jimp@0.6.8 ➔ @jimp/custom@0.6.8 ➔ @jimp/core@0.6.8 ➔ mkdirp@0.5.1 ➔ minimist@0.0.8
......

The projects such as gatsby-plugin-og-image, which introduced @jimp/core@0.6.8, are not maintained anymore. These unmaintained packages can neither upgrade @jimp/core nor be easily migrated by the large amount of affected downstream projects.
On behalf the downstream users, could you help us remove the vulnerability from package @jimp/core@0.6.8?

Suggested Solution

Since these inactive projects set a version constaint 0.6.* for @jimp/core on the above vulnerable dependency paths, if @jimp/core removes the vulnerability from 0.6.8 and releases a new patched version @jimp/core@0.6.9, such a vulnerability patch can be automatically propagated into the 384 affected downstream projects.

In @jimp/core@0.6.9, you can kindly try to perform the following upgrade:
mkdirp 0.5.1 ➔ 0.5.2;
Note:
mkdirp@0.5.2(>=0.5.2) directly depends on minimist@1.2.5 (a vulnerability CVE-2020-7598 patched version)

Thanks again for your help.

Best regards,
Paimon
@hipstersmoothie hipstersmoothie mentioned this issue Mar 28, 2024
Merged
@hipstersmoothie
Copy link
Collaborator

🚀 Issue was released in v1.0.2 🚀

@hipstersmoothie hipstersmoothie added the released This issue/pull request has been released. label Aug 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted released This issue/pull request has been released. Security Vulnerability
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

V1 jimp-dev/jimp
2 participants
@hipstersmoothie @paimon0715