You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Shot uses a very old version of Scrimage which in turn uses an older version of imageio-jpeg, which itself is vulnerable and causing this issue.
Fixing this should be a simple dependency update - though note that around version 3.0.0 the module name changed. The new dependency should be something like "com.sksamuel.scrimage:scrimage-core:4.0.34"
From what I can tell, these versions should be binary compatible with the one currently in use - I don't see any breaking changes listed in the release notes.
Steps to reproduce
Check dependency chain. Shot-core is currently using "com.sksamuel.scrimage:scrimage-core_2.12:2.1.8"
Expected behaviour
Shot is usable without pulling in transitive dependencies that have CVE issues against them.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24614
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24613
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425
Actual behaviour
Shot uses a very old version of Scrimage which in turn uses an older version of imageio-jpeg, which itself is vulnerable and causing this issue.
Fixing this should be a simple dependency update - though note that around version 3.0.0 the module name changed. The new dependency should be something like "com.sksamuel.scrimage:scrimage-core:4.0.34"
https://github.com/sksamuel/scrimage/releases
From what I can tell, these versions should be binary compatible with the one currently in use - I don't see any breaking changes listed in the release notes.
Steps to reproduce
Check dependency chain. Shot-core is currently using "com.sksamuel.scrimage:scrimage-core_2.12:2.1.8"
https://github.com/pedrovgs/Shot/blob/master/core/build.gradle#LL16C22-L16C67
Version of the library
5.14.1
The text was updated successfully, but these errors were encountered: