Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

phin should be upgraded or removed #11

Open
KernelDeimos opened this issue Apr 12, 2024 · 4 comments
Open

phin should be upgraded or removed #11

KernelDeimos opened this issue Apr 12, 2024 · 4 comments

Comments

@KernelDeimos
Copy link

KernelDeimos commented Apr 12, 2024
edited
Loading

apparently it wasn't actually okay to use phin until yesterday

The package jimp depends on this. It processes images. My use-case for it is a fallback image resizer when an optional compiled image resizer is not available.

A module I'm using to resize images... depends on an http client.

Is this for browser environments specifically? Is there a convenient way to disable this, or a way I can be entirely sure it will never be used within a nodejs environment?
@KernelDeimos KernelDeimos changed the title What is phin used for? phin should be upgraded or removed Apr 12, 2024
@lorand-horvath
Copy link

@KernelDeimos It seems this package is maintained by @mattdesl among others.
If upgrading from phin 2 to phin 3 takes as much time as it did for parse-bmfont-xml (10 months) mattdesl/parse-bmfont-xml#4
then I'd probably completely forget about jimp altogether.

I also use jimp as fallback for sharp as the latter doesn't run on the CloudLinux 6 OS of a certain hosting company. But they're in the process of upgrading to CloudLinux 8, which should run sharp without problems. Hence no need for jimp anymore.

@mattdesl
Copy link
Collaborator

I’ll be honest; I don’t know why jimp (an image manipulation library) needs to depend on my module (font tools for games). It seems like scope bloat.

One of the goals of this library is to load a URL resource that might be a buffer or json response, and decode the BMFont file spec into memory in a convenient way, primarily for games and web graphics. So I do not think it makes sense to strip HTTP requests out—it would make the module significantly less useful (it would also be a breaking change). The other goal is for this code to be isomorphic; so it makes no sense to break Node support.

And, deprecation does not mean broken—the developer of phin seems to not have the time to support it, but there is not any reported issue with the version this module depends on.

I think you would be better off taking up your issue with the upstream package rather than this one. Cheers!

@lorand-horvath
Copy link

@mattdesl Is it difficult to update the phin dependency in load-bmfont from v2 to the latest v3?
That would solve the issue. I understand your position regarding scope bloat, but I don't think jimp would remove the load-bmfont dependency and replace it with something else.

Either way, I will use sharp exclusively from now on, since my hosting company is finishing upgrading to CloudLinux 8 on all servers in the coming couple of months.

@DevonAM DevonAM mentioned this issue Apr 25, 2024
Closed
9 tasks
@zdm
Copy link

zdm commented May 11, 2024

Best principal of reliable development - do not use third party packages if this is possible, because usually they are not maintained as they should.
For HTTP requests - embedded nodejs libs are preferrable ( http of retch )..

@dreamorosi dreamorosi mentioned this issue Jun 11, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fixes deprecated & vulnerable phin dependency version DevonAM/load-bmfont
4 participants
@zdm @mattdesl @KernelDeimos @lorand-horvath