Skip to content

fix(deps): update dependency sharp to v0.32.6 [security]#105

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-sharp-vulnerability
Open

fix(deps): update dependency sharp to v0.32.6 [security]#105
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-sharp-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Nov 16, 2023

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
sharp (source, changelog) 0.31.00.32.6 age confidence

sharp vulnerability in libwebp dependency CVE-2023-4863

GHSA-54xq-cgqr-rpm3

More information

Details

Overview

sharp uses libwebp to decode WebP images and versions prior to the latest 0.32.6 are vulnerable to the high severity GHSA-j7hp-h8jx-5ppr.

Who does this affect?

Almost anyone processing untrusted input with versions of sharp prior to 0.32.6.

How to resolve this?
Using prebuilt binaries provided by sharp?

Most people rely on the prebuilt binaries provided by sharp.

Please upgrade sharp to the latest 0.32.6, which provides libwebp 1.3.2.

Using a globally-installed libvips?

Please ensure you are using the latest libwebp 1.3.2.

Possible workaround

Add the following to your code to prevent sharp from decoding WebP images.

sharp.block({ operation: ["VipsForeignLoadWebp"] });

Severity

  • CVSS Score: 7.8 / 10 (High)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

lovell/sharp (sharp)

v0.32.6

Compare Source

v0.32.5

Compare Source

v0.32.4

Compare Source

v0.32.3

Compare Source

v0.32.2

Compare Source

v0.32.1

Compare Source

v0.32.0

Compare Source

v0.31.3

Compare Source

v0.31.2

Compare Source

v0.31.1

Compare Source


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate

renovate Bot commented Nov 16, 2023

Copy link
Copy Markdown
Contributor Author

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json
npm ERR! code ERESOLVE
npm ERR! ERESOLVE could not resolve
npm ERR! 
npm ERR! While resolving: mdx-bundler@9.0.1
npm ERR! Found: esbuild@0.15.10
npm ERR! node_modules/esbuild
npm ERR!   esbuild@"0.15.10" from the root project
npm ERR!   peer esbuild@"*" from @esbuild-plugins/node-resolve@0.1.4
npm ERR!   node_modules/@esbuild-plugins/node-resolve
npm ERR!     @esbuild-plugins/node-resolve@"^0.1.4" from mdx-bundler@9.0.1
npm ERR!     node_modules/mdx-bundler
npm ERR!       mdx-bundler@"9.0.1" from the root project
npm ERR!   1 more (@mdx-js/esbuild)
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peer esbuild@"0.11.x || 0.12.x || 0.13.x || 0.14.x" from mdx-bundler@9.0.1
npm ERR! node_modules/mdx-bundler
npm ERR!   mdx-bundler@"9.0.1" from the root project
npm ERR! 
npm ERR! Conflicting peer dependency: esbuild@0.14.54
npm ERR! node_modules/esbuild
npm ERR!   peer esbuild@"0.11.x || 0.12.x || 0.13.x || 0.14.x" from mdx-bundler@9.0.1
npm ERR!   node_modules/mdx-bundler
npm ERR!     mdx-bundler@"9.0.1" from the root project
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR! 
npm ERR! See /tmp/renovate/cache/others/npm/eresolve-report.txt for a full report.

npm ERR! A complete log of this run can be found in:
npm ERR!     /tmp/renovate/cache/others/npm/_logs/2024-04-04T15_51_26_295Z-debug-0.log

@renovate renovate Bot changed the title fix(deps): update dependency sharp to v0.32.6 [security] fix(deps): update dependency sharp to v0.32.6 [security] - autoclosed Apr 4, 2024
@renovate renovate Bot closed this Apr 4, 2024
@renovate renovate Bot deleted the renovate/npm-sharp-vulnerability branch April 4, 2024 13:50
@renovate renovate Bot changed the title fix(deps): update dependency sharp to v0.32.6 [security] - autoclosed fix(deps): update dependency sharp to v0.32.6 [security] Apr 4, 2024
@renovate renovate Bot reopened this Apr 4, 2024
@renovate renovate Bot restored the renovate/npm-sharp-vulnerability branch April 4, 2024 15:50
@renovate renovate Bot force-pushed the renovate/npm-sharp-vulnerability branch from 60db968 to 0282734 Compare April 4, 2024 15:51
@renovate

renovate Bot commented May 19, 2025

Copy link
Copy Markdown
Contributor Author

@duyetbot review

@renovate renovate Bot force-pushed the renovate/npm-sharp-vulnerability branch from 0282734 to 05f8bf4 Compare August 10, 2025 13:43
@renovate

renovate Bot commented Aug 10, 2025

Copy link
Copy Markdown
Contributor Author

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json
npm ERR! code ERESOLVE
npm ERR! ERESOLVE could not resolve
npm ERR! 
npm ERR! While resolving: mdx-bundler@9.0.1
npm ERR! Found: esbuild@0.15.10
npm ERR! node_modules/esbuild
npm ERR!   esbuild@"0.15.10" from the root project
npm ERR!   peer esbuild@"*" from @esbuild-plugins/node-resolve@0.1.4
npm ERR!   node_modules/@esbuild-plugins/node-resolve
npm ERR!     @esbuild-plugins/node-resolve@"^0.1.4" from mdx-bundler@9.0.1
npm ERR!     node_modules/mdx-bundler
npm ERR!       mdx-bundler@"9.0.1" from the root project
npm ERR!   1 more (@mdx-js/esbuild)
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peer esbuild@"0.11.x || 0.12.x || 0.13.x || 0.14.x" from mdx-bundler@9.0.1
npm ERR! node_modules/mdx-bundler
npm ERR!   mdx-bundler@"9.0.1" from the root project
npm ERR! 
npm ERR! Conflicting peer dependency: esbuild@0.14.54
npm ERR! node_modules/esbuild
npm ERR!   peer esbuild@"0.11.x || 0.12.x || 0.13.x || 0.14.x" from mdx-bundler@9.0.1
npm ERR!   node_modules/mdx-bundler
npm ERR!     mdx-bundler@"9.0.1" from the root project
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR! 
npm ERR! See /runner/cache/others/npm/eresolve-report.txt for a full report.

npm ERR! A complete log of this run can be found in:
npm ERR!     /runner/cache/others/npm/_logs/2026-06-11T19_34_05_990Z-debug-0.log

@renovate renovate Bot force-pushed the renovate/npm-sharp-vulnerability branch from 05f8bf4 to 0aa7c20 Compare August 13, 2025 15:54
@renovate renovate Bot force-pushed the renovate/npm-sharp-vulnerability branch from 0aa7c20 to 2e09569 Compare August 31, 2025 09:39
@renovate renovate Bot force-pushed the renovate/npm-sharp-vulnerability branch from 2e09569 to ec84867 Compare September 25, 2025 19:32
@renovate renovate Bot force-pushed the renovate/npm-sharp-vulnerability branch from ec84867 to 54be72f Compare October 21, 2025 10:50
@renovate renovate Bot force-pushed the renovate/npm-sharp-vulnerability branch from 54be72f to c1cb09c Compare November 11, 2025 01:57
@renovate renovate Bot force-pushed the renovate/npm-sharp-vulnerability branch from c1cb09c to ce045a8 Compare December 3, 2025 18:53
@renovate renovate Bot force-pushed the renovate/npm-sharp-vulnerability branch from ce045a8 to f7877fa Compare February 2, 2026 15:16
@renovate renovate Bot force-pushed the renovate/npm-sharp-vulnerability branch 2 times, most recently from 2c4ed52 to c55ec59 Compare February 17, 2026 16:52
@renovate renovate Bot force-pushed the renovate/npm-sharp-vulnerability branch from c55ec59 to ef37a39 Compare March 5, 2026 17:08
@renovate renovate Bot force-pushed the renovate/npm-sharp-vulnerability branch from ef37a39 to c674c6f Compare March 13, 2026 10:56
@renovate renovate Bot changed the title fix(deps): update dependency sharp to v0.32.6 [security] fix(deps): update dependency sharp to v0.32.6 [security] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot deleted the renovate/npm-sharp-vulnerability branch March 27, 2026 02:15
@renovate renovate Bot changed the title fix(deps): update dependency sharp to v0.32.6 [security] - autoclosed fix(deps): update dependency sharp to v0.32.6 [security] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-sharp-vulnerability branch 3 times, most recently from ddbeb03 to 623513d Compare April 1, 2026 17:51
@renovate renovate Bot force-pushed the renovate/npm-sharp-vulnerability branch from 623513d to cb8be7b Compare April 8, 2026 16:45
@renovate renovate Bot changed the title fix(deps): update dependency sharp to v0.32.6 [security] fix(deps): update dependency sharp to v0.32.6 [security] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot changed the title fix(deps): update dependency sharp to v0.32.6 [security] - autoclosed fix(deps): update dependency sharp to v0.32.6 [security] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/npm-sharp-vulnerability branch 3 times, most recently from 55bb9bf to 592ff41 Compare April 29, 2026 13:07
@renovate renovate Bot force-pushed the renovate/npm-sharp-vulnerability branch 2 times, most recently from d7547be to de57ca9 Compare May 18, 2026 11:31
@renovate renovate Bot force-pushed the renovate/npm-sharp-vulnerability branch 2 times, most recently from 6426185 to 61263d7 Compare June 1, 2026 19:11
@renovate renovate Bot force-pushed the renovate/npm-sharp-vulnerability branch from 61263d7 to 5d394ae Compare June 11, 2026 19:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants