jimp: npm audit fails about xml2js (from load-bmfont)

On my project, I am using jimp, and just found out that the current latest version : 0.22.7, has a vulnerable dependency.

Here is the output of npm audit :

xml2js  <0.5.0
Severity: high
xml2js is vulnerable to prototype pollution  - https://github.com/advisories/GHSA-776f-qx25-q3cc
fix available via `npm audit fix --force`
Will install jimp@0.3.5, which is a breaking change
node_modules/xml2js
  parse-bmfont-xml  *
  Depends on vulnerable versions of xml2js
  node_modules/parse-bmfont-xml
    load-bmfont  >=1.1.0
    Depends on vulnerable versions of parse-bmfont-xml
    node_modules/load-bmfont
      @jimp/plugin-print  *
      Depends on vulnerable versions of load-bmfont
      node_modules/@jimp/plugin-print
        @jimp/plugins  *
        Depends on vulnerable versions of @jimp/plugin-print
        node_modules/@jimp/plugins
          jimp  >=0.3.6-alpha.5
          Depends on vulnerable versions of @jimp/plugins
          node_modules/jimp

6 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

It seems that @jimp/plugin-print uses :

load-bmfont (this package was lastly published 3 years ago)
load-bmfont uses parse-bmfont-xml (thia package was lastly published 5 years ago)
parse-bmfont-xml uses xml2js ^0.4.5 (which won’t pull in 0.5 which fixes the vuln).

There is an issue in parse-bmfont-xml to upgrade to xml2js 0.5.0 : https://github.com/mattdesl/parse-bmfont-xml/issues/6

About this issue

Original URL
State: open
Created a year ago
Reactions: 15
Comments: 19 (2 by maintainers)

Commits related to this issue

chore: bump jimp and fix audit warning See https://github.com/jimp-dev/jimp/issues/1223, that workaround doesn't seem to have any downsides when running `npm run collect`. — committed to skipjack/free-flag-icons by skipjack 9 months ago

Most upvoted comments

If someone want to fork those deps into the jimp org and do the update I’ll help make it happen

hipstersmoothie on Jun 12, 2023

An alternative / temporary solution could be to create a custom-configured Jimp by using @jimp/custom , if you know, you are not using features from the @jimp/plugin-print plugin. With that you can eliminate the problematic dependecy manually. Please note, that you might run into some issues with that, if you are using Typescript (depending on your configuration, I made PR where I try to make the modular configuration more available: https://github.com/jimp-dev/jimp/pull/1225 ).

zmedgyes on Apr 21, 2023

It’s high time for parse-bmfont-xml to be updated to include the latest xml2js 0.6.0 https://github.com/Leonidas-from-XIV/node-xml2js/tags but there’s no movement in any of the already existing PRs: https://github.com/mattdesl/parse-bmfont-xml/pull/4 https://github.com/mattdesl/parse-bmfont-xml/pull/5

If this won’t progress, would the jimp devs fork it or find an alternative, please ? @hipstersmoothie @Marsup @zmedgyes @sjoerd108

lorand-horvath on Jun 12, 2023

@lorand-horvath yeah, I actually use nvm, and my node version is 20.0.0. And yes, I use yarn instead of npm because of speed reasons 😄 .

But your suggestions did provide me a solution, and as per https://classic.yarnpkg.com/en/docs/selective-version-resolutions/#toc-how-to-use-it.

If you are using yarn, add this to your package.json for a quick and dirty solution:

    "resolutions": {
        "jimp/@jimp/plugins/@jimp/plugin-print/load-bmfont/parse-bmfont-xml/xml2js": "^0.6.0"
    }

yarn uses resolutions not overrides 😄 .

RazvanVuscan on Sep 21, 2023

@lorand-horvath from your original workaround, I’ve tried adding the override to my package.json , deleted package-lock.json and node_modules, but I still see the vulnerability during the yarn audit process. Seems v. 0.4.5 keeps getting pulled in.

Am I doing something wrong?

RazvanVuscan on Sep 21, 2023

Very strange that nobody bothers to actually fix this https://github.com/jimp-dev/jimp/issues/1223#issuecomment-1587654554

lorand-horvath on Sep 21, 2023

@pzrq The nested form works perfectly fine. But there’s a catch. Whenever you install a new package, e.g. npm install some-package the defined override will not be taken into account at all, so the old xml2js will be reinstalled. This is some very strange quirk of npm and many people have run into this issue. The solution is to delete node_modules and package-lock.json and then do a clean npm install of all packages. This will apply the override as expected. I’m not sure if this is what you have run into, but most certainly many are struggling with this, still.

lorand-horvath on Jul 24, 2023

A quick and dirty solution until parse-bmfont-xml bumps xml2js to 0.5.0 is to add an override to your package.json https://github.com/Leonidas-from-XIV/node-xml2js/issues/671#issuecomment-1516405738

  "overrides": {
    "jimp": {
      "xml2js": "^0.5.0"
    }
  }

and npm install.

Note: overrides are only available since npm 8.3

lorand-horvath on Apr 20, 2023