You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A vulnerability CVE-2020-7598 detected in package minimist(<0.2.1,>=1.0.0 <1.2.3) is transitively referenced by @jimp/core@0.6.8. We noticed that such a vulnerability has been removed since @jimp/core@0.9.6.
However, @jimp/core's popular previous version @jimp/core@0.6.8 (42,198 downloads per week) is still transitively referenced by a large amount of latest versions of active and popular downstream projects (about 384 downstream projects, e.g., miniprogram-automator 0.10.0, @refract-cms/server 0.18.6, resize-optimize-images 1.1.2, gatsby-theme-code-notes 2.3.0, thing-it-qr-code 1.0.10, gatsby-theme-code-notes@2.3.0, etc.).
As such, issue CVE-2020-7598 can be propagated into these downstream projects and expose security threats to them.
These projects cannot easily upgrade @jimp/core from version 0.6.8 to (>=0.9.6). For instance, @jimp/core@0.6.8 is introduced into the above projects via the following package dependency paths:
(1)gatsby-theme-code-notes@2.3.0 ➔ gatsby-plugin-og-image@0.0.1 ➔ jimp@0.6.8 ➔ @jimp/custom@0.6.8 ➔ @jimp/core@0.6.8 ➔ mkdirp@0.5.1 ➔ minimist@0.0.8 ......
The projects such as gatsby-plugin-og-image, which introduced @jimp/core@0.6.8, are not maintained anymore. These unmaintained packages can neither upgrade @jimp/core nor be easily migrated by the large amount of affected downstream projects.
On behalf the downstream users, could you help us remove the vulnerability from package @jimp/core@0.6.8?
Suggested Solution
Since these inactive projects set a version constaint 0.6.* for @jimp/core on the above vulnerable dependency paths, if @jimp/core removes the vulnerability from 0.6.8 and releases a new patched version @jimp/core@0.6.9, such a vulnerability patch can be automatically propagated into the 384 affected downstream projects.
In @jimp/core@0.6.9, you can kindly try to perform the following upgrade: mkdirp 0.5.1 ➔ 0.5.2; Note: mkdirp@0.5.2(>=0.5.2) directly depends on minimist@1.2.5 (a vulnerability CVE-2020-7598 patched version)
Thanks again for your help.
Best regards,
Paimon
The text was updated successfully, but these errors were encountered:
Hi, @hipstersmoothie @oliver-moran, there is a vulnerability introduced in your package @jimp/core:
Issue Description
A vulnerability CVE-2020-7598 detected in package minimist(<0.2.1,>=1.0.0 <1.2.3) is transitively referenced by @jimp/core@0.6.8. We noticed that such a vulnerability has been removed since @jimp/core@0.9.6.
However, @jimp/core's popular previous version @jimp/core@0.6.8 (42,198 downloads per week) is still transitively referenced by a large amount of latest versions of active and popular downstream projects (about 384 downstream projects, e.g., miniprogram-automator 0.10.0, @refract-cms/server 0.18.6, resize-optimize-images 1.1.2, gatsby-theme-code-notes 2.3.0, thing-it-qr-code 1.0.10, gatsby-theme-code-notes@2.3.0, etc.).
As such, issue CVE-2020-7598 can be propagated into these downstream projects and expose security threats to them.
These projects cannot easily upgrade @jimp/core from version 0.6.8 to (>=0.9.6). For instance, @jimp/core@0.6.8 is introduced into the above projects via the following package dependency paths:
(1)
gatsby-theme-code-notes@2.3.0 ➔ gatsby-plugin-og-image@0.0.1 ➔ jimp@0.6.8 ➔ @jimp/custom@0.6.8 ➔ @jimp/core@0.6.8 ➔ mkdirp@0.5.1 ➔ minimist@0.0.8
......
The projects such as gatsby-plugin-og-image, which introduced @jimp/core@0.6.8, are not maintained anymore. These unmaintained packages can neither upgrade @jimp/core nor be easily migrated by the large amount of affected downstream projects.
On behalf the downstream users, could you help us remove the vulnerability from package @jimp/core@0.6.8?
Suggested Solution
Since these inactive projects set a version constaint 0.6.* for @jimp/core on the above vulnerable dependency paths, if @jimp/core removes the vulnerability from 0.6.8 and releases a new patched version @jimp/core@0.6.9, such a vulnerability patch can be automatically propagated into the 384 affected downstream projects.
In @jimp/core@0.6.9, you can kindly try to perform the following upgrade:
mkdirp 0.5.1 ➔ 0.5.2
;Note:
mkdirp@0.5.2(>=0.5.2) directly depends on minimist@1.2.5 (a vulnerability CVE-2020-7598 patched version)
Thanks again for your help.
Best regards,
Paimon
The text was updated successfully, but these errors were encountered: