update file-type dependency to address CVE (#195)

* security: upgrade file-type dependency for cve https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36313 * bump patch version to 4.2.6; add changelog entry * [ci] bump actions versions to silence warnings; add node 20 to the matrix * [ci] bump coveralls action version to silence node 16 warning
ngageoint · May 17, 2024 · 1b3841f · 1b3841f
1 parent 47486e1
commit 1b3841f
Show file tree

Hide file tree

Showing 6 changed files with 166 additions and 27 deletions.
diff --git a/.github/workflows/gh-pages-deploy.yml b/.github/workflows/gh-pages-deploy.yml
@@ -1,7 +1,7 @@
 name: GH Pages Deploy
 
 on:
-  workflow_dispatch: 
+  workflow_dispatch:
   push:
     branches:
       - master

diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml
@@ -9,12 +9,12 @@ jobs:
 
     strategy:
       matrix:
-        node-version: [14.x, 16.x, 18.x]
+        node-version: [14.x, 16.x, 18.x, 20.x]
 
     steps:
-    - uses: actions/checkout@v1
+    - uses: actions/checkout@v4
     - name: Use Node.js ${{ matrix.node-version }}
-      uses: actions/setup-node@v1
+      uses: actions/setup-node@v4
       with:
         node-version: ${{ matrix.node-version }}
     - name: npm install, build, and test
@@ -29,8 +29,8 @@ jobs:
         JOB_CONTEXT: ${{ toJson(matrix) }}
       run: echo "$JOB_CONTEXT"
     - name: Coveralls
-      if: matrix.node-version == '14.x'
-      uses: coverallsapp/github-action@master
+      if: matrix.node-version == '20.x'
+      uses: coverallsapp/github-action@v2
       with:
         github-token: ${{ secrets.GITHUB_TOKEN }}
         path-to-lcov: ./docs/coverage/lcov.info
diff --git a/changelog.md b/changelog.md
@@ -1,5 +1,9 @@
 ### Changelog
 
+##### 4.2.6
+
+- Upgrade the [`file-type`](https://www.npmjs.com/package/file-type) dependency to address [CVE-2022-36313](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36313).
+
 ##### 4.2.5
 
 - Fix a bug that set `undefined` on sql.js prepared statement values causing sql.js to throw an error.

diff --git a/lib/tiles/creator/tileCreator.ts b/lib/tiles/creator/tileCreator.ts
@@ -1,4 +1,4 @@
-import fileType from 'file-type';
+import * as fileType from 'file-type';
 import proj4 from 'proj4';
 import ProjectTile from './projectTile';
 
@@ -138,12 +138,12 @@ export class TileCreator {
 
   /**
    * Adds a tile and reprojects it if necessary before drawing it into the target canvas
-   * @param tileData
-   * @param gridColumn
-   * @param gridRow
+   * @param tileData a `string` file path or `Buffer` containing image data
+   * @param gridColumn `number`
+   * @param gridRow `number`
    */
   async addTile(tileData: any, gridColumn: number, gridRow: number): Promise<void> {
-    const type = fileType(tileData);
+    const type = await (typeof tileData === 'string' ? fileType.fromFile(tileData) : fileType.fromBuffer(tileData));
     const tile = await ImageUtils.getImage(tileData, type.mime);
     this.tileContext.clearRect(0, 0, this.tileMatrix.tile_width, this.tileMatrix.tile_height);
     this.tileContext.drawImage(tile.image, 0, 0);

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@ngageoint/geopackage",
-  "version": "4.2.5",
+  "version": "4.2.6",
   "description": "GeoPackage JavaScript Library",
   "keywords": [
     "NGA",
@@ -38,7 +38,7 @@
     "@turf/polygon-to-line": "6.5.0",
     "@types/geojson": "7946.0.8",
     "@types/proj4": "2.5.2",
-    "file-type": "12.4.0",
+    "file-type": "^16.5.4",
     "image-size": "0.8.3",
     "lodash": "4.17.21",
     "proj4": "2.8.0",