-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
frontend-build: High security vulnerability needs semver-regex update (via image-webpack-loader) #107
Comments
Hi @dianekaplan, 8.1.0 is the latest version of image-webpack-loader, we can not update it at the moment. Should we wait for the patch? I would appreciate your suggestions. |
It looks like the issue has been flagged upstream but there has not yet been a response: tcoopman/image-webpack-loader#414 . Could you go ahead and create a PR upstream to address it? |
@mamankhan99 Are you (or anybody else on FED-BOM) up for creating an upstream PR as suggested above? |
We can but we will need to create PRs from bin-version to image-webpack-loader to fix the issue. Should we proceed? |
Sorry for not seeing this earlier. I'm ok with that, but is there an alternative we can use instead of image-webpack-loader? The webpack docs mention image-minimizer-webpack-plugin , is that the preferred library for this functionality now? Is it in a better state of maintenance? There's some relevant discussion in webpack-contrib/image-minimizer-webpack-plugin#225 . |
Yes! we can replacte it with image-minimizer-webpack-plugin. Let me discuss the feasibility with my team and then we can start working on it. |
We are using v8.1.0 of Dependency chain for these optimizers is as follow: All of them have dependency on We can replace Since imagemin is depending on aforementioned plugins(gifsicle, mozjpeg, pngquant), we would have to consider |
@BilalQamar95, @jmbowman, are we moving forward with |
@arbrandes The shift would be required to resolve ReDOS, a High security vulnerability due to |
@BilalQamar95, thanks! I hadn't noticed the PR existed. |
High: Regular Expression Denial of Service (ReDOS)
Patched in semver-regex version >=3.1.3
dependency chain: @edx/frontend-build > image-webpack-loader > imagemin-gifsicle > gifsicle > bin-wrapper > bin-version-check > bin-version > find-versions > semver-regex
more info: GHSA-44c6-4v22-4mhx
It looks like frontend-build currently uses image-webpack-loader 8.1.0, which only uses semver-regex version 2.0.0. (We need to update image-webpack-loader to a version that uses semver-regex >=3.1.3).
PRs
image-webpack-loader
withimage-minimizer-webpack-plugin
frontend-build#259The text was updated successfully, but these errors were encountered: