[GHSA-x565-32qp-m3vf] Bump jimp to remove phin dependency (#6977) (#…

…6985) `jimp@0.22.0` removed all the code that used phin. `load-bmfont`, a nested dependency of `jimp` imports `phin` but that is a functionality we don't use as we don't import AngleCode bitmap fonts. With an arbitrarily bump of `phin`, this commit avoids including an offending version in the dev-deps. (cherry picked from commit 54cd2d0) Signed-off-by: Miki <miki@amazon.com>
opensearch-project · Jun 10, 2024 · 0d06e3f · 0d06e3f
1 parent 58844ad
commit 0d06e3f
Show file tree

Hide file tree

Showing 3 changed files with 299 additions and 271 deletions.
diff --git a/changelogs/fragments/6977.yml b/changelogs/fragments/6977.yml
@@ -0,0 +1,2 @@
+security:
+- [GHSA-x565-32qp-m3vf] Bump `jimp` to remove phin dependency ([#6977](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/6977))
diff --git a/package.json b/package.json
@@ -101,6 +101,7 @@
     "**/json11": "^1.1.2",
     "**/json-schema": "^0.4.0",
     "**/kind-of": ">=6.0.3",
+    "**/load-bmfont/phin": "^3.7.1",
     "**/loader-utils": "^2.0.4",
     "**/node-jose": "^2.2.0",
     "**/nth-check": "^2.0.1",
@@ -414,7 +415,7 @@
     "jest": "^27.5.1",
     "jest-canvas-mock": "^2.5.1",
     "jest-raw-loader": "^1.0.1",
-    "jimp": "^0.14.0",
+    "jimp": "^0.22.12",
     "jquery": "^3.5.0",
     "json-stringify-pretty-compact": "1.2.0",
     "json5": "^2.2.3",