Comments (8)
codecvlt
commented on August 21, 2024
1
Makes sense. It's ok. I've added this package to my ignore list since it shouldn't be exploitable in my use case.
Cheers, and thanks for the quick responses!
from phantom-html-to-pdf.
codecvlt
commented on August 21, 2024
Updating the default phantomjs version to 2xx should fix this.
from phantom-html-to-pdf.
bjrmatos
commented on August 21, 2024
both vulnerabilities does not affect the security of the system for the use case that this package was built, the npm phantomjs package is only using the request package to install a phantomjs binary, it is not used while an application is running, it is only used when installing dependencies so i don't see any vulnerability here.
updating to phantomjs version 2 will only remove these warnings of the NSP but there is no other gain here.. also we don't want to make phantom v2 executable the default because phantom v2 has many rendering issues compared to phantom 1.9.8 (the most stable) executable.
if you are just worried about those warnings you can easily install [email protected] in your machine, the NSP warning still will be present but your system won't be using the phantom 1.9.8 executable.
from phantom-html-to-pdf.
codecvlt
commented on August 21, 2024
Fair enough. Problem right now is your latest version in npm still lists phantomjs as a main dependency. I see in your master branch you made it an optionalDependency. Pointing my version to your master branch removes the NSP warning. When do you think you will release a new npm version which reflects what you have on master branch?
from phantom-html-to-pdf.
codecvlt
commented on August 21, 2024
Weird, looks like 0.5.4 does have phantomjs as optional. My bad.
from phantom-html-to-pdf.
codecvlt
commented on August 21, 2024
Hmm, though when installed, the package.json for 0.5.4 does have phantomjs in the "dependencies" section.
from phantom-html-to-pdf.
bjrmatos
commented on August 21, 2024
Hmm, though when installed, the package.json for 0.5.4 does have phantomjs in the "dependencies" section.
yes, that is the way that npm works, optionalDependencies are always installed, the only difference is that if some optional dependency fails to install then the whole installation won't fail, it will just ignore the optional dependency.
i understand that seeing those warnings can be frustrating, so a solution can be to move the phantomjs dependency from optionalDependencies to peerDependencies, but i'm not sure if everyone will be ok with that, so let's see.. (cc @pofider)
from phantom-html-to-pdf.
pofider
commented on August 21, 2024
I believe the explanation @bjrmatos has done is sufficient.
I don't plan to do big changes like moving the phantomjs dependency out at this moment.
from phantom-html-to-pdf.
Related Issues (20)
- Blurred, overlapping text when generating a PDF HOT 1
- PDF image not shown and format issue HOT 1
- Module not found: Can't resolve 'cluster' in... HOT 1
- Table Header HOT 1
- "file" argument must be a non-empty string HOT 3
- is this repo dead HOT 1
- phantomjs in electron
- occasionally I get "phantom manager could not start all workers" error HOT 4
- error occurs in electron (workerErrors) HOT 1
- Local Language Support
- fix footer
- Background color with gradient isn't working when generating via Mobile
- No support for phantom debug option
- No support for specifying TLS version
- Error: spawn EACCES HOT 5
- Cant render chinese character HOT 2
- How to do the page break in the pdf? HOT 1
- This library doesn't seem to support OnResourceRequested HOT 1
- Custom Headers is not working
- Update lodash version
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from phantom-html-to-pdf.