Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency sharp to v0.32.6 [security] #1238

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

chore(deps): update dependency sharp to v0.32.6 [security] #1238

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Nov 16, 2023
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
sharp (source, changelog) 0.32.0 -> 0.32.6 age adoption passing confidence

GitHub Vulnerability Alerts

GHSA-54xq-cgqr-rpm3

Overview

sharp uses libwebp to decode WebP images and versions prior to the latest 0.32.6 are vulnerable to the high severity GHSA-j7hp-h8jx-5ppr.

Who does this affect?

Almost anyone processing untrusted input with versions of sharp prior to 0.32.6.

How to resolve this?

Using prebuilt binaries provided by sharp?

Most people rely on the prebuilt binaries provided by sharp.

Please upgrade sharp to the latest 0.32.6, which provides libwebp 1.3.2.

Using a globally-installed libvips?

Please ensure you are using the latest libwebp 1.3.2.

Possible workaround

Add the following to your code to prevent sharp from decoding WebP images.

sharp.block({ operation: ["VipsForeignLoadWebp"] });

Release Notes

lovell/sharp (sharp)

v0.32.6

Compare Source

v0.32.5

Compare Source

v0.32.4

Compare Source

v0.32.3

Compare Source

v0.32.2

Compare Source

v0.32.1

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@cloudflare-workers-and-pages Cloudflare Workers and Pages
Copy link

cloudflare-workers-and-pages bot commented Nov 16, 2023
edited
Loading

Deploying daim with  Cloudflare Pages  Cloudflare Pages

Latest commit: 7e26aaf
Status: ✅  Deploy successful!
Preview URL: https://3128abd7.daim.pages.dev
Branch Preview URL: https://renovate-npm-sharp-vulnerabi.daim.pages.dev

View logs

@vercel Vercel
Copy link

vercel bot commented Nov 16, 2023
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
daim ✅ Ready (Inspect) Visit Preview 💬 Add feedback Mar 28, 2024 4:56am

@renovate renovate bot force-pushed the renovate/npm-sharp-vulnerability branch from 26b056f to 8bf4033 Compare December 7, 2023 07:41
@renovate renovate bot force-pushed the renovate/npm-sharp-vulnerability branch from 8bf4033 to 70bc2b1 Compare December 7, 2023 11:13
@renovate renovate bot force-pushed the renovate/npm-sharp-vulnerability branch from 70bc2b1 to d05bf7e Compare December 7, 2023 13:39
@renovate renovate bot force-pushed the renovate/npm-sharp-vulnerability branch from d05bf7e to a8c1dc8 Compare December 9, 2023 05:21
@renovate renovate bot force-pushed the renovate/npm-sharp-vulnerability branch from a8c1dc8 to c9daee7 Compare December 11, 2023 07:40
@renovate renovate bot force-pushed the renovate/npm-sharp-vulnerability branch from c9daee7 to 6402870 Compare December 13, 2023 03:50
@renovate renovate bot force-pushed the renovate/npm-sharp-vulnerability branch from 6402870 to 29a0d05 Compare January 16, 2024 00:52
@renovate renovate bot force-pushed the renovate/npm-sharp-vulnerability branch from 29a0d05 to 162d330 Compare January 23, 2024 00:15
@renovate renovate bot force-pushed the renovate/npm-sharp-vulnerability branch from 162d330 to f810013 Compare January 23, 2024 01:00
@renovate renovate bot force-pushed the renovate/npm-sharp-vulnerability branch from f810013 to ea41a64 Compare January 23, 2024 05:06
@renovate renovate bot force-pushed the renovate/npm-sharp-vulnerability branch from ea41a64 to 7274c79 Compare January 25, 2024 01:24
@renovate renovate bot changed the title chore(deps): update dependency sharp to v0.32.6 [security] chore(deps): update dependency sharp to v0.32.6 [security] - autoclosed Feb 24, 2024
@renovate renovate bot closed this Feb 24, 2024
@renovate renovate bot deleted the renovate/npm-sharp-vulnerability branch February 24, 2024 01:42
@renovate renovate bot restored the renovate/npm-sharp-vulnerability branch February 24, 2024 05:32
@renovate renovate bot changed the title chore(deps): update dependency sharp to v0.32.6 [security] - autoclosed chore(deps): update dependency sharp to v0.32.6 [security] Feb 24, 2024
@renovate renovate bot reopened this Feb 24, 2024
@renovate renovate bot force-pushed the renovate/npm-sharp-vulnerability branch from 7274c79 to 1e79bf4 Compare February 24, 2024 05:34
@renovate renovate bot force-pushed the renovate/npm-sharp-vulnerability branch from 1e79bf4 to 7e26aaf Compare March 28, 2024 04:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants