Package vulnerabilities

[NViviers]

When installing version 2.4.1 NPM reports 4 total vulnerabilities, 3 moderate and 1 high.

node_modules/jpeg-js
  get-pixels-frame-info-update  *
  Depends on vulnerable versions of jpeg-js
  node_modules/get-pixels-frame-info-update
    @nsfw-filter/gif-frames  *
    Depends on vulnerable versions of get-pixels-frame-info-update
    node_modules/@nsfw-filter/gif-frames
      nsfwjs  >=2.3.0
      Depends on vulnerable versions of @nsfw-filter/gif-frames
      node_modules/nsfwjs

Can we get a fix on this?

[GantMan]

Can you get me a list based off of installing master? That way I can know what to get fixed in order to do a fresh release?

Some of these will most-likely resolve with using master.

[GantMan]

I do have a plan to get snyk working on the repo to catch these early, but I hit a few snags.

[NViviers]

Do you mean this?

npm WARN deprecated [email protected]: this library is no longer supported
npm WARN deprecated [email protected]: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142

Let me know how to get what you want, and I'll be happy to help

[GantMan]

Try release 2.4.2 and let me know if it fixes things.

[NViviers]

npm WARN deprecated [email protected]: this library is no longer supported
npm WARN deprecated [email protected]: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142 

added 143 packages, and audited 144 packages in 6s

12 packages are looking for funding
  run `npm fund` for details

4 vulnerabilities (3 moderate, 1 high)

[GantMan]

I have Snyk running on my local machine. So now I can see the 4 vulnerabilities and identify when they are removed.

Most critical errors come from the ability to detect GIF frames. If you're not using the classifyGif functionality, these security issues are not a problem.

If you'd like to fix these - can you send a pull-request to https://github.com/nsfw-filter/gif-frames to update their dependencies? When they update, I'll point NSFWJS to the latest.

[NViviers]

Thank you for checking them.. Is this pull request perhaps trying to fix this problem?

[GantMan]

That looks correct. Seems everyone is too busy, hahahaha.

[pprathameshmore]

I am having a vulnerability issue in the request package used by [email protected]

[GantMan]

That's the gif package. I hope someone can fork it and upgrade.