Upgrade @jimp/* to v0.22.12 #148
Conversation
This change is in order to address security vulnerabilities in phin < v3.7.1 which is used by @jimp/* in v0.16. GHSA-x565-32qp-m3vf
|
I'm actually having trouble even getting node-vibrant to build though. Is there a specific node version that needs to be used or something? I can't get this to build from node 18 or node 10 with some typescript errors related to what seems to be missing lodash types or something from ts-node. (I also can't get master to build so clearly I am doing something wrong) |
|
Unfortunately, you're not doing anything wrong @colingm :( |
|
@crutchcorn okay yeah that is what I later realized after a bit of sleuthing. So right now I am taking some time to try to upgrade a few things in the library (mainly in upgrading to webpack 5) and just working through the issues that come with inline workers in webpack 5 (mostly figuring out what is the right way to do it 😅 ) |
|
OMG I didn't mean to close this PR :( @colingm any chance you'd like to try this again against our |
|
@crutchcorn yeah I would definitely be willing to do that. I actually took a look at it again today and was just running into testing issues, I will try on |
|
@crutchcorn thank you for your hard work, the upgrade against v4 was much smoother: #158 |
This change is in order to address security vulnerabilities in phin < v3.7.1 which is used by @jimp/* in v0.16.
GHSA-x565-32qp-m3vf
There were a few changes marked as
Breakinginside of @jimp between v0.16 and v0.22.12 but all but 1 were marked that way as they were changing the build tool used by jimp. The one that wasn't is listed below:Switch to fetch for url requests Switch to fetch for url requests jimp-dev/jimp#1165
They decided to use a polyfill for fetch to support better browser compatibility and I couldn't see any issues this would cause for node-vibrant but am happy to have anyone see if that is an issue.
Addresses: #146