Please update jpeg-js

[kockok]

Bug summary

jpeg-js  <0.4.4
Severity: moderate
Infinite loop in jpeg-js - https://github.com/advisories/GHSA-xvf7-4v9q-58w6
fix available via `npm audit fix --force`
Will install react-native-bootsplash@2.2.8, which is a breaking change
node_modules/jpeg-js
  @jimp/jpeg  <=0.12.0 || >=0.16.1
  Depends on vulnerable versions of jpeg-js
  node_modules/@jimp/jpeg
    @jimp/types  <=0.11.1-canary.891.908.0 || >=0.16.1
    Depends on vulnerable versions of @jimp/jpeg
    node_modules/@jimp/types
      jimp  0.3.6-alpha.5 - 0.11.1-canary.891.908.0 || >=0.16.1
      Depends on vulnerable versions of @jimp/types
      node_modules/jimp
        react-native-bootsplash  1.2.1 - 2.2.4 || >=3.0.0-alpha.0
        Depends on vulnerable versions of jimp
        node_modules/react-native-bootsplash

5 moderate severity vulnerabilities

Library version

"react-native-bootsplash": "^4.1.5"

Environment info

Normal.

Steps to reproduce

1. npm install --force
2. npm audit

Reproducible sample code

`npm audit`

[zoontek]

Done in https://github.com/zoontek/react-native-bootsplash/releases/tag/4.1.6

[kockok]

Done in https://github.com/zoontek/react-native-bootsplash/releases/tag/4.1.6

I don't know if it's only me, but I still have the 5 moderate severity vulnerabilities flagged.

I did try running npm cache verify clean.
And deleted node_modules and then reinstalled again.

[efstathiosntonas]

@kockok you mean flagged them on your github repo or locally? If on repo then you must manually resolve them by clicking the dropdown on top right (under Security tab) and then select the resolve option that suits you.

[kockok]

@efstathiosntonas No, I just ran npm audit

[efstathiosntonas]

@kockok try find ./node_modules/ -name package.json | xargs grep jpeg-js to see which package might uses jpeg-js, in my case I had 2 packages using it:

./node_modules//@jimp/jpeg/package.json:    "jpeg-js": "0.4.2"
./node_modules//react-native-bootsplash/package.json:    "jpeg-js": "0.4.4"

[efstathiosntonas]

@zoontek it seems "jimp": "^0.16.1" still uses the problematic jpeg-js, there's a PR pending: jimp-dev/jimp#1087, just fyi.

[efstathiosntonas]

@kockok and everyone else affected by this, just add this in package.json until PR from above is merged/released:

yarn:

"resolutions": {
    "jpeg-js": "0.4.4"
  }

in case of npm use npm-force-resolutions

[zoontek]

Version has been pinned for yarn:

react-native-bootsplash/package.json

Line 68 in ed78d2c

"jpeg-js": "0.4.4"

For npm 8+, you can use overrides: https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides in your own package.json.

I will update the package again once jimp will be updated.

[conceptualspace]

FYI jimp has been updated with the security fix: https://github.com/oliver-moran/jimp/releases/tag/v0.16.2

[zoontek]

@conceptualspace Thanks for the info! Do you have a bit of time to shoot a PR? (and remove the pined versions of jpeg-js in the project and the example)?

[conceptualspace]

done: #396

cheers

[efstathiosntonas]

Thank you both!