Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SECURITY: npm audit found an issue in request dep. #62

Open
houd1ni opened this issue Apr 2, 2023 · 9 comments
Open

SECURITY: npm audit found an issue in request dep. #62

houd1ni opened this issue Apr 2, 2023 · 9 comments

Comments

@houd1ni
Copy link

houd1ni commented Apr 2, 2023

Hi! See ericblade/quagga2#494

@SVillette
Copy link

@mikolalysenko any chance fixing the security issue ?
Is this project still maintained ?

@houd1ni
Copy link
Author

houd1ni commented Apr 24, 2023

@SVillette hi! I'm about to fix it in a special fork as told in that attached issue. Thanks for reminding. Will post it here with mention.

@m6a-UdS
Copy link

m6a-UdS commented Jun 2, 2023

Any update? 👀

@houd1ni
Copy link
Author

houd1ni commented Jun 3, 2023

Any update? 👀

Almost got back here. 🐌

@donmccurdy
Copy link

For anyone blocked on this issue — I'm maintaining a near-equivalent library, ndarray-pixels, based on get-pixels and save-pixels. Some differences to note:

  • On web, ndarray-pixels uses Canvas2D and imports no dependencies. Browserify is no longer required.
  • On Node.js, ndarray-pixels now uses sharp. Sharp includes support for considerably more image formats.
  • Input must be a Uint8Array or Buffer. Support for loading URLs, Data URIs, and filesystem paths has been removed. I recommend using environment-native APIs for that, avoiding the class of problem in this thread.
  • getPixels returns a Promise<ndarray<Uint8Array>>, and no longer accepts a callback.

Example:

import { getPixels, savePixels } from 'ndarray-pixels';
import fs from 'node:fs';

// read
const pixels = await getPixels(bytesIn, 'image/png'); // Uint8Array -> ndarray

// modify
for (let i = 0; i < pixels.shape[0]; ++i) {
  for (let j = 0; j < pixels.shape[1]; ++j) {
    pixels.set(i, j, 255);
  }
}

// write
const bytesOut = await savePixels(pixels, 'image/png'); // ndarray -> Uint8Array

@houd1ni
Copy link
Author

houd1ni commented Jun 14, 2023

@donmccurdy can it be used with ericblade/quagga2#494 ?

@donmccurdy
Copy link

donmccurdy commented Jun 14, 2023

@houd1ni Yes, looking at the usage here...

https://github.com/ericblade/quagga2/blob/2f2cd190a02cae6d9b847b938aab43e8630ff2bb/src/input/input_stream/input_stream.ts#L46-L50

... you'd just need to fetch the URL first (using fetch() or some other library), then pass the Uint8Array or Buffer result into getPixels, which returns Promise<ndarray>.

@the-marolie
Copy link

@dy - I see that request have been removed with this PR - #67
But the npm release still has the old code. Any plan on releasing the new package to npm? Would solve a lot of security issues reported by audit in our project

@beseg
Copy link

beseg commented Dec 16, 2024

We are too waiting for the npm release to solve a lot of security issues reported by audit 🙏

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants