Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[security] Upstream vulnerability in decompress module #489

Closed
nothingismagick opened this issue Mar 6, 2020 · 1 comment
Closed

[security] Upstream vulnerability in decompress module #489

nothingismagick opened this issue Mar 6, 2020 · 1 comment
Assignees
@nothingismagick
Labels
type: bug

Comments

@nothingismagick
Copy link
Sponsor Member

Describe the bug
There is a NPM high severity warning for kevva/decompress which means yarn audit fails on the JS cli - due its being used in the imagemin family of algorithms.

See: https://www.npmjs.com/advisories/1217
Issue here: kevva/decompress#71
Potential mitigation strategy: kevva/decompress#71 (comment)

The discussion is somewhat long-winded - with a variety of opinions on the security implications of the matter. For our usage of this library I am not concerned since the library is only used for downloading known binaries.

Nevertheless, the "high" severity warning is disconcerting and I wanted to publish this opinion so that you are aware that we are aware of it. Updates will be found here on this issue as well as at the wg-security channel on our Discord.
@nothingismagick nothingismagick self-assigned this Mar 6, 2020
@rajivshah3
Copy link
Member

This was fixed in #545 by @not-matthias

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nothingismagick nothingismagick

Labels
type: bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rajivshah3 @nothingismagick