:arrow_up: Updates sharp to ^0.32.0 [SECURITY]

renovate[bot] commented 2 years ago

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
sharp (source, changelog)	`^0.27.2` -> `^0.32.0`

GitHub Vulnerability Alerts

CVE-2022-29256

There's a possible vulnerability in logic that is run only at npm install time when installing versions of sharp prior to the latest v0.30.5.

This is not part of any runtime code, does not affect Windows users at all, and is unlikely to affect anyone that already cares about the security of their build environment. However, out of an abundance of caution, I've created this advisory.

If an attacker has the ability to set the value of the PKG_CONFIG_PATH environment variable in a build environment then they might be able to use this to inject an arbitrary command at npm install time.

I've used the Common Vulnerability Scoring System (CVSS) calculator to determine the maximum possible impact, which suggests a "medium" score of 5.9, but for most people the real impact will be dealing with the noise from automated security tooling that this advisory will bring.

AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:R/MS:X/MC:X/MI:X/MA:X

This problem was fixed in commit a6aeef6 and published as part of sharp v0.30.5.

Thank you very much to @dwisiswant0 for the responsible disclosure.

Remember: if an attacker has control over environment variables in your build environment then you have a bigger problem to deal with than this issue.

GHSA-54xq-cgqr-rpm3

Overview

sharp uses libwebp to decode WebP images and versions prior to the latest 0.32.6 are vulnerable to the high severity https://github.com/advisories/GHSA-j7hp-h8jx-5ppr.

Who does this affect?

Almost anyone processing untrusted input with versions of sharp prior to 0.32.6.

How to resolve this?

Using prebuilt binaries provided by sharp?

Most people rely on the prebuilt binaries provided by sharp.

Please upgrade sharp to the latest 0.32.6, which provides libwebp 1.3.2.

Using a globally-installed libvips?

Please ensure you are using the latest libwebp 1.3.2.

Possible workaround

Add the following to your code to prevent sharp from decoding WebP images.

sharp.block({ operation: ["VipsForeignLoadWebp"] });

Release Notes

lovell/sharp (sharp)

### [`v0.32.6`](https://togithub.com/lovell/sharp/compare/v0.32.5...v0.32.6) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.32.5...v0.32.6) ### [`v0.32.5`](https://togithub.com/lovell/sharp/compare/v0.32.4...v0.32.5) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.32.4...v0.32.5) ### [`v0.32.4`](https://togithub.com/lovell/sharp/compare/v0.32.3...v0.32.4) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.32.3...v0.32.4) ### [`v0.32.3`](https://togithub.com/lovell/sharp/compare/v0.32.2...v0.32.3) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.32.2...v0.32.3) ### [`v0.32.2`](https://togithub.com/lovell/sharp/compare/v0.32.1...v0.32.2) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.32.1...v0.32.2) ### [`v0.32.1`](https://togithub.com/lovell/sharp/compare/v0.32.0...v0.32.1) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.32.0...v0.32.1) ### [`v0.32.0`](https://togithub.com/lovell/sharp/compare/v0.31.3...v0.32.0) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.31.3...v0.32.0) ### [`v0.31.3`](https://togithub.com/lovell/sharp/compare/v0.31.2...v0.31.3) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.31.2...v0.31.3) ### [`v0.31.2`](https://togithub.com/lovell/sharp/compare/v0.31.1...v0.31.2) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.31.1...v0.31.2) ### [`v0.31.1`](https://togithub.com/lovell/sharp/compare/v0.31.0...v0.31.1) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.31.0...v0.31.1) ### [`v0.31.0`](https://togithub.com/lovell/sharp/compare/v0.30.7...v0.31.0) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.30.7...v0.31.0) ### [`v0.30.7`](https://togithub.com/lovell/sharp/compare/v0.30.6...v0.30.7) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.30.6...v0.30.7) ### [`v0.30.6`](https://togithub.com/lovell/sharp/compare/v0.30.5...v0.30.6) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.30.5...v0.30.6) ### [`v0.30.5`](https://togithub.com/lovell/sharp/compare/v0.30.4...v0.30.5) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.30.4...v0.30.5) ### [`v0.30.4`](https://togithub.com/lovell/sharp/compare/v0.30.3...v0.30.4) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.30.3...v0.30.4) ### [`v0.30.3`](https://togithub.com/lovell/sharp/compare/v0.30.2...v0.30.3) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.30.2...v0.30.3) ### [`v0.30.2`](https://togithub.com/lovell/sharp/compare/v0.30.1...v0.30.2) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.30.1...v0.30.2) ### [`v0.30.1`](https://togithub.com/lovell/sharp/compare/v0.30.0...v0.30.1) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.30.0...v0.30.1) ### [`v0.30.0`](https://togithub.com/lovell/sharp/compare/v0.29.3...v0.30.0) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.29.3...v0.30.0) ### [`v0.29.3`](https://togithub.com/lovell/sharp/compare/v0.29.2...v0.29.3) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.29.2...v0.29.3) ### [`v0.29.2`](https://togithub.com/lovell/sharp/compare/v0.29.1...v0.29.2) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.29.1...v0.29.2) ### [`v0.29.1`](https://togithub.com/lovell/sharp/compare/v0.29.0...v0.29.1) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.29.0...v0.29.1) ### [`v0.29.0`](https://togithub.com/lovell/sharp/compare/v0.28.3...v0.29.0) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.28.3...v0.29.0) ### [`v0.28.3`](https://togithub.com/lovell/sharp/compare/v0.28.2...v0.28.3) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.28.2...v0.28.3) ### [`v0.28.2`](https://togithub.com/lovell/sharp/compare/v0.28.1...v0.28.2) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.28.1...v0.28.2) ### [`v0.28.1`](https://togithub.com/lovell/sharp/compare/v0.28.0...v0.28.1) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.28.0...v0.28.1) ### [`v0.28.0`](https://togithub.com/lovell/sharp/compare/v0.27.2...v0.28.0) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.27.2...v0.28.0)

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Moscow, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

[ ] If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

changelogg[bot] commented 2 years ago

Hey! Changelogs info seems to be missing or might be in incorrect format. Please use the below template in PR description to ensure Changelogg can detect your changes:

    - (tag) changelog_text

or
```
- tag: changelog_text
```
**OR**
You can add tag in PR header or while doing a commit too
```    
(tag) PR header
```
or
```
tag: PR header
```
Valid tags: **added** / **feat**, **changed**, **deprecated**, **fixed** / **fix**, **removed**, **security**, **build**, **ci**, **chore**, **docs**, **perf**, **refactor**, **revert**, **style**, **test**
Thanks!
For more info, check out [changelogg docs](https://docs.changelogg.io/)

renovate[bot] commented 2 years ago

Branch automerge failure

This PR was configured for branch automerge, however this is not possible so it has been raised as a PR instead.

Branch has one or more failed status checks

viezly[bot] commented 2 years ago

Pull request by bot. No need to analyze

github-actions[bot] commented 2 years ago

Thanks for the PR!

This section of the codebase is owner by https://github.com/AlexRogalskiy/ - if they write a comment saying "LGTM" then it will be merged.

github-actions[bot] commented 2 years ago

Thanks for opening an issue! Make sure you've followed CONTRIBUTING.md.

github-actions[bot] commented 2 years ago

Hello from PR Helper

Is your PR ready for review and processing? Mark the PR ready by including #pr-ready in a comment.

If you still have work to do, even after marking this ready. Put the PR on hold by including #pr-onhold in a comment.

socket-security[bot] commented 11 months ago

Updated dependencies detected. Learn more about Socket for GitHub ↗︎

Packages	Version	New capabilities	Transitives	Size	Publisher
sharp	0.27.2...0.32.6	None	`+15/-28`	1.47 MB	lovell

socket-security[bot] commented 11 months ago

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Issue	Package	Version	Note	Source
Bin script shell injection	npm	6.14.12	Bin Script: which	@semantic-release/changelog@5.0.1, @semantic-release/commit-analyzer@8.0.1, @semantic-release/git@9.0.0, @semantic-release/github@7.2.0, @semantic-release/npm@7.0.10, @semantic-release/release-notes-generator@9.0.2, semantic-release@17.4.2 via `package.json`

Next steps

What is bin script shell injection?

This package re-exports a well known shell command via an npm bin script. This is possibly a supply chain attack

Packages should not export bin scripts which conflict with well known shell commands

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@* or ignore all packages with @SocketSecurity ignore-all

@SocketSecurity ignore npm@6.14.12

AlexRogalskiy / github-action-image-resizer