npm audit fails about xml2js (from load-bmfont) about jimp HOT 19 OPEN

An alternative / temporary solution could be to create a custom-configured Jimp by using @jimp/custom , if you know, you are not using features from the @jimp/plugin-print plugin. With that you can eliminate the problematic dependecy manually.
Please note, that you might run into some issues with that, if you are using Typescript (depending on your configuration, I made PR where I try to make the modular configuration more available: #1225 ).

from jimp.

If someone want to fork those deps into the jimp org and do the update I'll help make it happen

from jimp.

It's high time for parse-bmfont-xml to be updated to include the latest xml2js 0.6.0 https://github.com/Leonidas-from-XIV/node-xml2js/tags but there's no movement in any of the already existing PRs:
mattdesl/parse-bmfont-xml#4
mattdesl/parse-bmfont-xml#5

If this won't progress, would the jimp devs fork it or find an alternative, please ? @hipstersmoothie @Marsup @zmedgyes @sjoerd108

from jimp.

A quick and dirty solution until parse-bmfont-xml bumps xml2js to 0.5.0 is to add an override to your package.json Leonidas-from-XIV/node-xml2js#671 (comment)

  "overrides": {
    "jimp": {
      "xml2js": "^0.5.0"
    }
  }

and npm install.

Note: overrides are only available since npm 8.3

from jimp.

@pzrq The nested form works perfectly fine. But there's a catch. Whenever you install a new package, e.g. npm install some-package the defined override will not be taken into account at all, so the old xml2js will be reinstalled. This is some very strange quirk of npm and many people have run into this issue. The solution is to delete node_modules and package-lock.json and then do a clean npm install of all packages. This will apply the override as expected.
I'm not sure if this is what you have run into, but most certainly many are struggling with this, still.

from jimp.

Very strange that nobody bothers to actually fix this #1223 (comment)

from jimp.

@lorand-horvath from your original workaround, I've tried adding the override to my package.json , deleted package-lock.json and node_modules, but I still see the vulnerability during the yarn audit process. Seems v. 0.4.5 keeps getting pulled in.

Am I doing something wrong?

from jimp.

@lorand-horvath yeah, I actually use nvm, and my node version is 20.0.0. And yes, I use yarn instead of npm because of speed reasons 😄 .

But your suggestions did provide me a solution, and as per https://classic.yarnpkg.com/en/docs/selective-version-resolutions/#toc-how-to-use-it.

If you are using yarn, add this to your package.json for a quick and dirty solution:

    "resolutions": {
        "jimp/@jimp/plugins/@jimp/plugin-print/load-bmfont/parse-bmfont-xml/xml2js": "^0.6.0"
    }

yarn uses resolutions not overrides 😄 .

from jimp.

FWIW I'm now seeing this vulnerability categorized as moderate. Not sure what has changed or if npm audit works differently on different node versions. I'm on v16.20.0.

from jimp.

A quick and dirty solution until parse-bmfont-xml bumps xml2js to 0.5.0 is to add an override to your package.json Leonidas-from-XIV/node-xml2js#671 (comment)

  "overrides": {
    "jimp": {
      "xml2js": "^0.5.0"
    }
  }

and npm install.

Note: overrides are only available since npm 8.3

The nested form did not work for me in npm 9.6.3, though the following did reliably generate the upgraded non-vulnerable package-lock.json I needed on npm install:

  "overrides": {
    "xml2js": "^0.5.0"
  }

from jimp.

Is there any progress available on the work in this vulnerability? I'm having the same issue here and I'm using v0.22.10.

from jimp.

No, same issue for me as of now.

from jimp.

This issue is still occurring for me as well.

from jimp.

@RazvanVuscan As per #1223 (comment) :
In package.json add this, which will override xml2js to the currently latest version 0.6.2:

  "overrides": {
    "jimp": {
      "xml2js": "^0.6.0"
    }
  }

Then delete package-lock.json and node_modules.
Then npm install. This will only work if you have npm 8.3 or newer - you can check with npm -v.
This should work. If not, what version of node do you have? node -v

Edit: I see you're using yarn instead of npm. I haven't worked much with it. I'm not sure if and since what version of yarn are overrides supported, you'd have to dig a bit and find out. If you do, please let me know!

from jimp.

Perhaps jimp should not install all plugins automatically? I have no need to print bitmap fonts on my files, but plugin-print is automatically included. It feels like something that should be made into an optional peer dependency

from jimp.

Seems like issue is causing security tools such as Snyk to flag Jimp. Is there a plan for a fix yet?

from jimp.

Fixed in mattdesl/parse-bmfont-xml#4

from jimp.

Hurray! There's nothing left to do here as users can now update their lockfiles without any changes necessary in jimp

That being said, I do think it'd be an improvement if all jimp plugins were not automatically installed: #1223 (comment)

from jimp.

If anyone wants to submit a pr to update our deps I'd approve! not installing all the default plugins is a pretty big breaking change and I don't think breaking changes are too worth it for this project

from jimp.