we need to talk about jimp

[boneskull]

The problem

Jimp is unmaintained and contains "high severity" vulnerabilities in its dependencies. Both @appium/images-plugin and @appium/opencv depend upon Jimp.

Let's assume no security or bugfixes are forthcoming. We will need to take action (though I'm unclear on the urgency), and have some options:

1. Offer to maintain Jimp. This makes sense if we think we have the bandwidth to do so (probably not) and we have the domain knowledge (I don't, but maybe someone else does).
2. Replace Jimp with something else. Options include (but are not limited to) sharp and... I am not sure what else. image-js is a pure-JS solution which sounds promising, but is not popular. sharp is a native module, which may make installation painful. However, it seems to be well-maintained--and they publish binaries for M1 Macs--so maybe it won't be so bad.
3. Research the feasibility of copy/pasting our way out of it by pulling the bits we need from Jimp and its dependencies.

From here, replacing it with sharp seems like a reasonable option, but will likely be a not-insignificant effort due to needing to refactor everything to work with its API.

[boneskull]

If we do go the sharp route, #16992 should be abandoned entirely

[jlipps]

I like the idea of moving to a more maintained module, however building native extensions has been an issue in the past (a severe issue with opencv4nodejs) so I'd want to make sure Sharp builds easily and without issue on all the os/node versions we expect, with no user fiddling.

[boneskull]

I'd say then if we were to attempt to adopt sharp, adding mac intel & ARM (along w/ windows) to the CI matrix would be a requirement.

[boneskull]

...a problem with that is GH does not offer ARM Macs and we'd have to self-host a machine. Feel like throwing down for a mac mini?

[jlipps]

how easy is it to add a custom executor to a github CI job? is it even possible to throw our own hardware at it?

[AT1990]

I could not figure out what is the solution to my problem #17433 by looking at this ticket and mine has been already closed as a duplicate. Can some one please help me out here as I am still stuck with those 8 vulnerabilities and because of that even "Appium" is not getting recognised as internal or external command

[crutchcorn]

FWIW, Jimp is becoming more maintained as-of late. There's a new call for maintainers, which has been getting a fair bit of response (including from myself).

jimp-dev/jimp#1128

This is not to say that it's perfect or will be solved overnight, but that we're working on it and hope to improve it over time

[boneskull]

@crutchcorn Thanks for the heads-up. I'll keep an eye on it. I'm not sure I love the idea of a "total rewrite" as tossed around in that issue, but this reduces the urgency to migrate away (not that there was a ton of urgency in the first place).

[mykola-mokhnach]

No jimp - no talk ;)