Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security issues Vulnerability #76

Open
simotae14 opened this issue Feb 28, 2020 · 6 comments
Open

Security issues Vulnerability #76

simotae14 opened this issue Feb 28, 2020 · 6 comments

Comments

@simotae14
Copy link

Command npm audit returned the following list of errors with high severity:

  High            Arbitrary File Write                                          

  Package         decompress                                                    

  Patched in      No patch available                                            

  Dependency of   imagemin-pngquant [dev]                                       

  Path            imagemin-pngquant > pngquant-bin > bin-build > decompress     

  More info       https://npmjs.com/advisories/1217  



  High            Arbitrary File Write                                          

  Package         decompress                                                    

  Patched in      No patch available                                            

  Dependency of   imagemin-pngquant [dev]                                       

  Path            imagemin-pngquant > pngquant-bin > bin-build > download > decompress     

  More info       https://npmjs.com/advisories/1217  



  High            Arbitrary File Write                                          

  Package         decompress                                                    

  Patched in      No patch available                                            

  Dependency of   imagemin-pngquant [dev]                                       

  Path            imagemin-pngquant > pngquant-bin > bin-build > download >     
                  decompress                                                    

  More info       https://npmjs.com/advisories/1217 

High            Arbitrary File Write                                          

  Package         decompress                                                    

  Patched in      No patch available                                            

  Dependency of   imagemin-gifsicle [dev]                                                                

  Path            imagemin-gifsicle > gifsicle > bin-build > decompress      

  More info       https://npmjs.com/advisories/1217  


  High            Arbitrary File Write                                          

  Package         decompress                                                    

  Patched in      No patch available                                            

  Dependency of   imagemin-gifsicle [dev]                                     

  Path            imagemin-gifsicle > gifsicle > bin-build > download > decompress                                                    

  More info       https://npmjs.com/advisories/1217 


  High            Arbitrary File Write                                          

  Package         decompress                                                    

  Patched in      No patch available                                            

  Dependency of   imagemin-gifsicle [dev]                                     

  Path            imagemin-gifsicle > gifsicle > bin-wrapper > download > decompress                                                    

  More info       https://npmjs.com/advisories/1217 

High            Arbitrary File Write                                          

  Package         decompress                                                    

  Patched in      No patch available                                            

  Dependency of   imagemin-mozjpeg [dev]                                                                

  Path            imagemin-mozjpeg > mozjpeg > bin-build > decompress      

  More info       https://npmjs.com/advisories/1217  



  High            Arbitrary File Write                                          

  Package         decompress                                                    

  Patched in      No patch available                                            

  Dependency of   imagemin-mozjpeg [dev]                                                                

  Path            imagemin-mozjpeg > mozjpeg > bin-build > download > decompress      

  More info       https://npmjs.com/advisories/1217  


  High            Arbitrary File Write                                          

  Package         decompress                                                    

  Patched in      No patch available                                            

  Dependency of   imagemin-mozjpeg [dev]                                       

  Path            imagemin-mozjpeg > mozjpeg > bin-wrapper > download > decompress                                                    

  More info       https://npmjs.com/advisories/1217

Is there a chance to fix this problem?
@duy9403
Copy link

duy9403 commented Feb 28, 2020

#71

@sr1ch1 sr1ch1 mentioned this issue Feb 29, 2020
Closed
@jimmyandrade
Copy link

jimmyandrade commented Feb 29, 2020
edited

Also encountering this issue.

Expand to find more: 
                       === npm audit security report ===                        
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Write                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ decompress                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gatsby-plugin-sharp                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gatsby-plugin-sharp > imagemin-mozjpeg > mozjpeg > bin-build │
│               │ > decompress                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1217                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Write                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ decompress                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gatsby-plugin-sharp                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gatsby-plugin-sharp > imagemin-pngquant > pngquant-bin >     │
│               │ bin-build > decompress                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1217                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Write                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ decompress                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gatsby-plugin-sharp                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gatsby-plugin-sharp > imagemin-webp > cwebp-bin > bin-build  │
│               │ > decompress                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1217                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Write                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ decompress                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gatsby-plugin-sharp                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gatsby-plugin-sharp > imagemin-mozjpeg > mozjpeg > bin-build │
│               │ > download > decompress                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1217                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Write                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ decompress                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gatsby-plugin-sharp                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gatsby-plugin-sharp > imagemin-pngquant > pngquant-bin >     │
│               │ bin-build > download > decompress                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1217                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Write                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ decompress                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gatsby-plugin-sharp                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gatsby-plugin-sharp > imagemin-webp > cwebp-bin > bin-build  │
│               │ > download > decompress                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1217                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Write                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ decompress                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gatsby-plugin-sharp                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gatsby-plugin-sharp > imagemin-mozjpeg > mozjpeg >           │
│               │ bin-wrapper > download > decompress                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1217                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Write                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ decompress                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gatsby-plugin-sharp                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gatsby-plugin-sharp > imagemin-pngquant > pngquant-bin >     │
│               │ bin-wrapper > download > decompress                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1217                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Write                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ decompress                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gatsby-plugin-sharp                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gatsby-plugin-sharp > imagemin-webp > cwebp-bin >            │
│               │ bin-wrapper > download > decompress                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1217                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Write                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ decompress                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ netlify-cli                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ netlify-cli > gh-release-fetch > download > decompress       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1217                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

@abriginets
Copy link

Same here

                       === npm audit security report ===                        


                                 Manual Review                                  
             Some vulnerabilities require your attention to resolve             
                                                                                
          Visit https://go.npm.me/audit-guide for additional guidance           


  High            Arbitrary File Write                                          

  Package         decompress                                                    

  Patched in      No patch available                                            

  Dependency of   imagemin-webp-webpack-plugin [dev]                            

  Path            imagemin-webp-webpack-plugin > imagemin-webp > cwebp-bin >    
                  bin-build > decompress                                        

  More info       https://npmjs.com/advisories/1217                             


  High            Arbitrary File Write                                          

  Package         decompress                                                    

  Patched in      No patch available                                            

  Dependency of   imagemin-webp-webpack-plugin [dev]                            

  Path            imagemin-webp-webpack-plugin > imagemin-webp > cwebp-bin >    
                  bin-build > download > decompress                             

  More info       https://npmjs.com/advisories/1217                             


  High            Arbitrary File Write                                          

  Package         decompress                                                    

  Patched in      No patch available                                            

  Dependency of   imagemin-webp-webpack-plugin [dev]                            

  Path            imagemin-webp-webpack-plugin > imagemin-webp > cwebp-bin >    
                  bin-wrapper > download > decompress                           

  More info       https://npmjs.com/advisories/1217

This was referenced Mar 3, 2020
Closed
Merged
@rajbir123
Copy link

guys what the exact final solution?

@jimmyandrade
Copy link

jimmyandrade commented Mar 4, 2020
edited

It looks like this repository has been abandoned. It has not been updated in 3 years
(last commit was Aug 22, 2017).

Perhaps the solution is to use a similar repository that is being maintained by the community.

@jimmyandrade jimmyandrade mentioned this issue Mar 12, 2020
Closed
@jimmyandrade
Copy link

jimmyandrade commented Mar 12, 2020
edited

There's a community effort to fix this issue, see #73.
Now we are waiting for an answer from @kevva :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jimmyandrade @simotae14 @abriginets @rajbir123 @duy9403