Skip to content

Update dependency sharp to ^0.32.6 [SECURITY] #74

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update dependency sharp to ^0.32.6 [SECURITY] #74

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Nov 16, 2023
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
sharp (source, changelog) ^0.31.0 -> ^0.32.6 age confidence

GitHub Vulnerability Alerts

GHSA-54xq-cgqr-rpm3

Overview

sharp uses libwebp to decode WebP images and versions prior to the latest 0.32.6 are vulnerable to the high severity GHSA-j7hp-h8jx-5ppr.

Who does this affect?

Almost anyone processing untrusted input with versions of sharp prior to 0.32.6.

How to resolve this?

Using prebuilt binaries provided by sharp?

Most people rely on the prebuilt binaries provided by sharp.

Please upgrade sharp to the latest 0.32.6, which provides libwebp 1.3.2.

Using a globally-installed libvips?

Please ensure you are using the latest libwebp 1.3.2.

Possible workaround

Add the following to your code to prevent sharp from decoding WebP images.

sharp.block({ operation: ["VipsForeignLoadWebp"] });

Release Notes

lovell/sharp (sharp)

v0.32.6

Compare Source

v0.32.5

Compare Source

v0.32.4

Compare Source

v0.32.3

Compare Source

v0.32.2

Compare Source

v0.32.1

Compare Source

v0.32.0

Compare Source

v0.31.3

Compare Source

v0.31.2

Compare Source

v0.31.1

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot changed the title Update dependency sharp to ^0.32.6 [SECURITY] Update dependency sharp to ^0.33.0 [SECURITY] Dec 3, 2023
@renovate renovate bot force-pushed the renovate/npm-sharp-vulnerability branch from 8b28637 to 9fe8e50 Compare December 3, 2023 11:46
@renovate renovate bot changed the title Update dependency sharp to ^0.33.0 [SECURITY] Update dependency sharp to ^0.32.6 [SECURITY] Dec 3, 2023
@renovate renovate bot force-pushed the renovate/npm-sharp-vulnerability branch from 9fe8e50 to 87bece8 Compare December 3, 2023 15:11
@renovate renovate bot changed the title Update dependency sharp to ^0.32.6 [SECURITY] Update dependency sharp to ^0.33.0 [SECURITY] Jan 4, 2024
@renovate renovate bot force-pushed the renovate/npm-sharp-vulnerability branch 2 times, most recently from 690733f to 8339fe5 Compare January 4, 2024 20:12
@renovate renovate bot changed the title Update dependency sharp to ^0.33.0 [SECURITY] Update dependency sharp to ^0.32.6 [SECURITY] Jan 4, 2024
@renovate renovate bot force-pushed the renovate/npm-sharp-vulnerability branch from 8339fe5 to b6c5564 Compare January 9, 2024 11:41
@renovate renovate bot changed the title Update dependency sharp to ^0.32.6 [SECURITY] Update dependency sharp to ^0.33.0 [SECURITY] Jan 9, 2024
@renovate renovate bot changed the title Update dependency sharp to ^0.33.0 [SECURITY] Update dependency sharp to ^0.32.6 [SECURITY] Jan 9, 2024
@renovate renovate bot force-pushed the renovate/npm-sharp-vulnerability branch 2 times, most recently from eb3460c to b85614a Compare January 16, 2024 14:32
@renovate renovate bot changed the title Update dependency sharp to ^0.32.6 [SECURITY] Update dependency sharp to ^0.33.0 [SECURITY] Jan 16, 2024
@renovate renovate bot force-pushed the renovate/npm-sharp-vulnerability branch from b85614a to a1ff6ff Compare January 16, 2024 15:12
@renovate renovate bot changed the title Update dependency sharp to ^0.33.0 [SECURITY] Update dependency sharp to ^0.32.6 [SECURITY] Jan 16, 2024
@renovate renovate bot changed the title Update dependency sharp to ^0.32.6 [SECURITY] Update dependency sharp to ^0.33.0 [SECURITY] Jan 28, 2024
@renovate renovate bot force-pushed the renovate/npm-sharp-vulnerability branch 2 times, most recently from 64ca4de to 380dfe2 Compare January 28, 2024 15:42
@renovate renovate bot changed the title Update dependency sharp to ^0.33.0 [SECURITY] Update dependency sharp to ^0.32.6 [SECURITY] Jan 28, 2024
@renovate renovate bot force-pushed the renovate/npm-sharp-vulnerability branch from 380dfe2 to f829d7e Compare February 4, 2024 09:19
@renovate renovate bot changed the title Update dependency sharp to ^0.32.6 [SECURITY] Update dependency sharp to ^0.33.0 [SECURITY] Feb 4, 2024
@renovate renovate bot force-pushed the renovate/npm-sharp-vulnerability branch from f829d7e to 74d0ee0 Compare February 4, 2024 13:02
@renovate renovate bot changed the title Update dependency sharp to ^0.33.0 [SECURITY] Update dependency sharp to ^0.32.6 [SECURITY] Feb 4, 2024
@renovate renovate bot changed the title Update dependency sharp to ^0.32.6 [SECURITY] Update dependency sharp to ^0.33.0 [SECURITY] Feb 25, 2024
@renovate renovate bot force-pushed the renovate/npm-sharp-vulnerability branch from 74d0ee0 to bc2ee92 Compare February 25, 2024 10:52
@renovate renovate bot changed the title Update dependency sharp to ^0.33.0 [SECURITY] Update dependency sharp to ^0.32.6 [SECURITY] Feb 25, 2024
@renovate renovate bot force-pushed the renovate/npm-sharp-vulnerability branch from bc2ee92 to c4df25b Compare February 25, 2024 12:42
@renovate renovate bot changed the title Update dependency sharp to ^0.32.6 [SECURITY] Update dependency sharp to ^0.33.0 [SECURITY] Feb 29, 2024
@renovate renovate bot force-pushed the renovate/npm-sharp-vulnerability branch from c4df25b to c50ffa0 Compare February 29, 2024 11:23
@renovate renovate bot changed the title Update dependency sharp to ^0.34.0 [SECURITY] Update dependency sharp to ^0.32.6 [SECURITY] Jun 18, 2025
@renovate renovate bot force-pushed the renovate/npm-sharp-vulnerability branch from 817f62f to f8b69cf Compare June 22, 2025 13:01
@renovate renovate bot changed the title Update dependency sharp to ^0.32.6 [SECURITY] Update dependency sharp to ^0.34.0 [SECURITY] Jun 22, 2025
@renovate renovate bot force-pushed the renovate/npm-sharp-vulnerability branch from f8b69cf to ec0cabd Compare June 22, 2025 16:51
@renovate renovate bot changed the title Update dependency sharp to ^0.34.0 [SECURITY] Update dependency sharp to ^0.32.6 [SECURITY] Jun 22, 2025
@renovate renovate bot force-pushed the renovate/npm-sharp-vulnerability branch from ec0cabd to 890f737 Compare July 2, 2025 17:51
@renovate renovate bot changed the title Update dependency sharp to ^0.32.6 [SECURITY] Update dependency sharp to ^0.34.0 [SECURITY] Jul 2, 2025
@renovate renovate bot force-pushed the renovate/npm-sharp-vulnerability branch from 890f737 to 0c96ac2 Compare July 2, 2025 23:43
@renovate renovate bot changed the title Update dependency sharp to ^0.34.0 [SECURITY] Update dependency sharp to ^0.32.6 [SECURITY] Jul 2, 2025
@renovate renovate bot changed the title Update dependency sharp to ^0.32.6 [SECURITY] Update dependency sharp to ^0.34.0 [SECURITY] Aug 4, 2025
@renovate renovate bot force-pushed the renovate/npm-sharp-vulnerability branch 2 times, most recently from 15c1e2c to f758249 Compare August 5, 2025 00:36
@renovate renovate bot changed the title Update dependency sharp to ^0.34.0 [SECURITY] Update dependency sharp to ^0.32.6 [SECURITY] Aug 5, 2025
@renovate renovate bot force-pushed the renovate/npm-sharp-vulnerability branch from f758249 to bbc7cb2 Compare August 10, 2025 14:52
@renovate renovate bot changed the title Update dependency sharp to ^0.32.6 [SECURITY] Update dependency sharp to ^0.34.0 [SECURITY] Aug 10, 2025
@renovate renovate bot changed the title Update dependency sharp to ^0.34.0 [SECURITY] Update dependency sharp to ^0.32.6 [SECURITY] Aug 10, 2025
@renovate renovate bot force-pushed the renovate/npm-sharp-vulnerability branch 2 times, most recently from 19d26b5 to f0ba6ba Compare August 13, 2025 16:38
@renovate renovate bot changed the title Update dependency sharp to ^0.32.6 [SECURITY] Update dependency sharp to ^0.34.0 [SECURITY] Aug 13, 2025
@renovate renovate bot force-pushed the renovate/npm-sharp-vulnerability branch from f0ba6ba to 3c95b56 Compare August 13, 2025 21:02
@renovate renovate bot changed the title Update dependency sharp to ^0.34.0 [SECURITY] Update dependency sharp to ^0.32.6 [SECURITY] Aug 13, 2025
@renovate renovate bot changed the title Update dependency sharp to ^0.32.6 [SECURITY] Update dependency sharp to ^0.34.0 [SECURITY] Aug 19, 2025
@renovate renovate bot force-pushed the renovate/npm-sharp-vulnerability branch 2 times, most recently from 29255c7 to 238d212 Compare August 20, 2025 00:38
@renovate renovate bot changed the title Update dependency sharp to ^0.34.0 [SECURITY] Update dependency sharp to ^0.32.6 [SECURITY] Aug 20, 2025
@renovate renovate bot changed the title Update dependency sharp to ^0.32.6 [SECURITY] Update dependency sharp to ^0.34.0 [SECURITY] Aug 31, 2025
@renovate renovate bot force-pushed the renovate/npm-sharp-vulnerability branch from 238d212 to 2f1168e Compare August 31, 2025 13:55
@renovate renovate bot force-pushed the renovate/npm-sharp-vulnerability branch from 2f1168e to ab0920b Compare August 31, 2025 17:04
@renovate renovate bot changed the title Update dependency sharp to ^0.34.0 [SECURITY] Update dependency sharp to ^0.32.6 [SECURITY] Aug 31, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants