get-pixels dependency security issue reported by npm audit with no automatic fix.

Question

get-pixels dependency security issue reported by npm audit with no automatic fix.

houd1ni opened this issue 3 years ago · 6 comments

Hi! There's npm audit fix --force output:

npm audit fix --force
npm WARN using --force Recommended protections disabled.
npm WARN audit No fix available for @ericblade/quagga2@*

up to date, audited 488 packages in 2s

67 packages are looking for funding
  run `npm fund` for details

# npm audit report

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
No fix available
node_modules/request
  get-pixels  >=2.0.0
  Depends on vulnerable versions of request
  node_modules/get-pixels
    @ericblade/quagga2  *
    Depends on vulnerable versions of get-pixels
    node_modules/@ericblade/quagga2

Answer 1 · 2023-03-29T04:05:19.000Z

Thank you for filing an issue! Please be patient. :-)

Answer 2 · 2023-03-29T04:24:58.000Z

Thanks for the notice. I'm not the author of get-pixels, so... I don't know?

actually, just had a look at the source code for get-pixels, it's pretty small overall.

Looks like getPixels supports getting pixels from Buffer, dataURL, HTTP/HTTPS, or files.

So it looks like that's to support http/https URLs.

I'm not worried by that vulnerability, as we're not using that functionality. You might appeal to the @get-pixels to get that fixed up .. could easily support node-fetch or just use the internal fetch, or just drop the feature or make it require the user to provide an interface for it..

Answer 3 · 2023-04-07T09:05:39.000Z

Hi there. I've made a short issue there, pointing here. Is it ok if I make a fork for the lib with this issue fixed if in some time he won't respond ? I really don't want to spoil a terminal with npm warnings to not to miss something important some day.

Answer 4 · 2023-04-07T19:07:44.000Z

Sure, it looks like it would be trivial to remove that dependency from get-pixels, and point quagga at it.

Answer 5 · 2023-07-19T06:56:52.000Z

refer scijs/get-pixels#62 (comment)

looks like he found a usage of getpixels that i wasn't aware of (probably due to some weird capitalization in that file.. . sigh) but i'd still need to further investigate if that is using the questionable part of request.

Commenters advice is sound.

I do not know when I will have time to investigate that. Pull requests always welcome :)