Vulnerabilities detected with decompress

[oguilleux]

Hi there, there seems to be a vulnerability with a dependency :

Arbitrary File Write with Package "decompress"
Path : gulp-imagemin > imagemin-optipng > optipng-bin > bin-wrapper > download > decompress
Path : gulp-imagemin > imagemin-mozjpeg > mozjpeg > bin-wrapper > download > decompress
Path : gulp-imagemin > imagemin-gifsicle > gifsicle > bin-wrapper > download > decompress
Path : gulp-imagemin > imagemin-optipng > optipng-bin > bin-build > download > decompress
Path : gulp-imagemin > imagemin-mozjpeg > mozjpeg > bin-build > download > decompress
Path : gulp-imagemin > imagemin-gifsicle > gifsicle > bin-build > download > decompress
Path : gulp-imagemin > imagemin-optipng > optipng-bin > bin-build > decompress
Path : gulp-imagemin > imagemin-mozjpeg > mozjpeg > bin-build > decompress
Path : gulp-imagemin > imagemin-gifsicle > gifsicle > bin-build > decompress
More info : https://npmjs.com/advisories/1217

Thanks for your work !

[Ionaru]

Decompress has a PR in-progress: kevva/decompress#73

[colorful-tones]

decompress just merged a fix for this: kevva/decompress#73 (comment)

[colorful-tones]

I'm just now realizing that @sindresorhus merged fix for decompress and is a maintainer of gulp-imagemin . 🤦‍♂

Thanks for all the great work Sindre! 👏

[colorful-tones]

@sindresorhus is it a matter of waiting for imagemin to pull in the update. And then gulp-imagemin can pull in that latest from imagemin for this?

I'm not clear as to where decompress comes in to the dependency tree here.

[tjbulick]

@colorful-tones decompress doesn't come into dependency tree of this package directly. It comes as a part of underlying packages. If we want this package to pull those security updates, then we need to have them in each package of dependency tree chain first