Skip to content
This repository has been archived by the owner on Dec 26, 2023. It is now read-only.

[VULN] Upgrade to jimp 0.6.0 ASAP #90

Closed
alexandernst opened this issue Dec 3, 2018 · 4 comments
Closed

[VULN] Upgrade to jimp 0.6.0 ASAP #90

alexandernst opened this issue Dec 3, 2018 · 4 comments

Comments

@alexandernst
Copy link

Current version of jimp depends on tinycolor2@1.4.1, which has 2 medium vulnerabilities:

+-----------------+-----------------+-----------------+----------------------------------------------+
|    Priority     |      Tool       |   Identifier    |                     URL                      |
+-----------------+-----------------+-----------------+----------------------------------------------+
| Medium          | retire          | CVE-2015-9251   | https://github.com/jquery/jquery/issues/2432 |
| 3rd party CORS request may execute for jquery                                                      |
| In node_modules/tinycolor2/demo/jquery-1.9.1.js                                                    |
+-----------------+-----------------+-----------------+----------------------------------------------+
| Medium          | retire          | CVE-2015-9251   | https://bugs.jquery.com/ticket/11974         |
| parseHTML() executes scripts in event handlers for jquery                                          |
| In node_modules/tinycolor2/demo/jquery-1.9.1.js                                                    |
+-----------------+-----------------+-----------------+----------------------------------------------+

Please upgrade to jimp 0.6.0

@alexandernst
Copy link
Author

@doug-wade ^

@alexandernst
Copy link
Author

@doug-wade Would it help if I make a PR?

@doug-wade
Copy link
Collaborator

Hey @alexandernst I'll take a look at this when I get home from work this evening. In the future, it is traditional to communicate vulnerabilities over email (my email address is available from my Github profile) to avoid publicizing vulnerabilities publicly. Thanks for the report all the same, though.

doug-wade added a commit to doug-wade/webpack-pwa-manifest that referenced this issue Dec 7, 2018
doug-wade added a commit that referenced this issue Dec 7, 2018
@doug-wade
Copy link
Collaborator

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants