Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Older Version of File-type library is used, which is causing EOL vulnerability #711

Closed
anshulgupta8392 opened this issue Jan 27, 2023 · 8 comments
Closed

Older Version of File-type library is used, which is causing EOL vulnerability #711

anshulgupta8392 opened this issue Jan 27, 2023 · 8 comments

Comments

@anshulgupta8392
Copy link

Describe the bug
Older Version of File-type library is used

I am using the latest version of file-type in my project which is hampering the execution of tesseract createWorker function.
Screen Shot 2023-01-27 at 11 31 13 PM
@anshulgupta8392 anshulgupta8392 changed the title Older Version of File-type library is used Older Version of File-type library is used, which is causing EOL vulnerability Jan 30, 2023
@OleksiiHryhorian
Copy link

Faced the issue as well.
I have a SNYK test for all added packages to my solution and snyk report shows the tesseract.js includes outdated and vulnerable library file-type 12.4.2:
image

image

Would it be possible to resolve this issue please?

@mtica
Copy link

mtica commented Feb 28, 2023

+1

@OleksiiHryhorian
Copy link

OleksiiHryhorian commented Feb 28, 2023
edited

Adding the link to the comment from Closed thread (#679) as it's connected and issue wasn't solved so far:
#679 (comment)

@Balearica
Copy link
Collaborator

Would be ideal if a user impacted by this issue could contribute a PR. I will not have time to develop Tesseract.js in the near future.

@Fdawgs Fdawgs mentioned this issue Apr 23, 2023
Closed
@Balearica
Copy link
Collaborator

I looked into this tonight, and this dependency is quite the headache--I am leaning towards cutting altogether.

  1. The latest versions (>=17) are ESM only, so will not work with our build.
  2. The bug is also patched in v16.5.4, however that version has separate exports for the Node.js and browser versions, so would require workarounds to run in Tesseract.js (which requires both).
  3. When I got a browser-only version running with v16.5.4, I found this update over doubled the size of our worker code, which I do not consider an acceptable tradeoff
    a. worker.min.js went from 145.1kB to 297.0kB [+105%]

Rather than work on this further, I think I am going to cut this dependency in the next version. We currently use file-type to (1) detect whether a buffer contains a .gz file and (2) detect whether a buffer contains a .bmp file. Figuring out how to do those things from scratch is almost certainly easier than continuing to fiddle with this dependency.

Balearica added a commit that referenced this issue Jun 2, 2023
@Balearica
Removed file-type dependency per #711
84a44af
@Balearica Balearica mentioned this issue Jun 2, 2023
Merged
Balearica added a commit that referenced this issue Jun 2, 2023
@Balearica
Removed file-type dependency per #711 (#775)
32acbd8
@Balearica
Copy link
Collaborator

This dependency has been removed in the master branch in #775 for the reasons stated above. This change will be reflected in the next npm release, which will be version 4.1.0.

@Balearica
Copy link
Collaborator

This dependency was removed in the v4.1.0 release.

@anshulgupta8392
Copy link
Author

anshulgupta8392 commented Jun 3, 2023 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bump file-type from 12.4.2 to 16.5.4
4 participants
@mtica @OleksiiHryhorian @Balearica @anshulgupta8392