[Security] Bump sharp from 0.32.1 to 0.32.6
Bumps sharp from 0.32.1 to 0.32.6. This update includes a security fix.
Vulnerabilities fixed
sharp vulnerability in libwebp dependency CVE-2023-4863
Overview
sharp uses libwebp to decode WebP images and versions prior to the latest 0.32.6 are vulnerable to the high severity https://github.com/advisories/GHSA-j7hp-h8jx-5ppr.
Who does this affect?
Almost anyone processing untrusted input with versions of sharp prior to 0.32.6.
How to resolve this?
Using prebuilt binaries provided by sharp?
Most people rely on the prebuilt binaries provided by sharp.
Please upgrade sharp to the latest 0.32.6, which provides libwebp 1.3.2.
Using a globally-installed libvips?
Please ensure you are using the latest libwebp 1.3.2.
... (truncated)
Patched versions: 0.32.6 Affected versions: < 0.32.6
Changelog
Sourced from sharp's changelog.
v0.32.6 - 18th September 2023
Upgrade to libvips v8.14.5 for upstream bug fixes.
Ensure composite tile images are fully decoded (regression in 0.32.0). #3767
Ensure
withMetadata
can add ICC profiles to RGB16 output. #3773Ensure
withMetadata
does not reduce 16-bit images to 8-bit (regression in 0.32.5). #3773TypeScript: Add definitions for block and unblock. #3799
@ldrick
v0.32.5 - 15th August 2023
Upgrade to libvips v8.14.4 for upstream bug fixes.
TypeScript: Add missing
WebpPresetEnum
to definitions. #3748@pilotso11
Ensure compilation using musl v1.2.4. #3755
@kleisauke
Ensure resize with a
fit
ofinside
respects 90/270 degree rotation. #3756TypeScript: Ensure
minSize
property ofWebpOptions
is boolean. #3758@sho-xizz
Ensure
withMetadata
adds default sRGB profile. #3761v0.32.4 - 21st July 2023
Upgrade to libvips v8.14.3 for upstream bug fixes.
Expose ability to (un)block low-level libvips operations by name.
Prebuilt binaries: restore support for tile-based output. #3581
v0.32.3 - 14th July 2023
... (truncated)
Commits
-
eefaa99
Release v0.32.6 -
dbce6fa
Upgrade to libvips v8.14.5 -
af0fcb3
Docs: changelog for #3799 -
c6f54e5
Bump devDeps -
846563e
TypeScript: add definitions for block and unblock (#3799) -
9c217ab
Ensure withMetadata can add RGB16 profiles #3773 -
e7381e5
Alternative fix for 4340d60, uses existing StaySequential -
4340d60
Ensure composite tile images fully decoded #3767 -
7f64d46
Docs: add missing returns property to raw -
67e927b
Docs: ensure all functions include method signature #3777 - Additional commits viewable in compare view