Joplin Workspace Security Patch: SSRF & DoS Vulnerabilities Fixed in Deprecated Dependencies

A critical security update for the Joplin workspace has patched two significant vulnerabilities stemming from outdated dependencies, addressing a Server-Side Request Forgery (SSRF) risk and a Denial-of-Service (DoS) vector. The fixes target deprecated packages that could have allowed attackers to bypass security controls or crash the application.

The SSRF vulnerability was introduced via the deprecated `request` package (version <= 2.88.2), which was present due to its use in `image-data-uri` and directly within `@joplin/tools`. This package was vulnerable to a bypass of SSRF mitigations through cross-protocol redirects. To resolve this, the `image-data-uri` package was entirely removed from `@joplin/lib`—its functionality for parsing base64 image data was replaced with native Node.js logic (`Buffer.from`). Furthermore, `request` was replaced with `node-fetch` in the `@joplin/tools/update-readme-contributors.ts` script, and its dependency was stripped from the package.json file.

Simultaneously, a separate Denial-of-Service vulnerability was fixed in the `file-type` package (v16.5.4). This package was susceptible to an attack where a crafted ASF file with a zero-size sub-header could trigger an infinite read loop, starving the Node.js event loop and causing a service outage. The patch for this specific DoS vector is detailed in the associated pull request, completing a necessary security hardening of the application's dependency chain.