Open renovate[bot] opened 2 years ago
Hey! Changelogs info seems to be missing or might be in incorrect format. Please use the below template in PR description to ensure Changelogg can detect your changes:
- (tag) changelog_text
or
```
- tag: changelog_text
```
**OR**
You can add tag in PR header or while doing a commit too
```
(tag) PR header
```
or
```
tag: PR header
```
Valid tags: **added** / **feat**, **changed**, **deprecated**, **fixed** / **fix**, **removed**, **security**, **build**, **ci**, **chore**, **docs**, **perf**, **refactor**, **revert**, **style**, **test**
Thanks!
For more info, check out [changelogg docs](https://docs.changelogg.io/)
This PR was configured for branch automerge, however this is not possible so it has been raised as a PR instead.
Pull request by bot. No need to analyze
Thanks for the PR!
This section of the codebase is owner by https://github.com/AlexRogalskiy/ - if they write a comment saying "LGTM" then it will be merged.
Thanks for opening an issue! Make sure you've followed CONTRIBUTING.md.
Is your PR ready for review and processing? Mark the PR ready by including #pr-ready
in a comment.
If you still have work to do, even after marking this ready. Put the PR on hold by including #pr-onhold
in a comment.
Updated dependencies detected. Learn more about Socket for GitHub βοΈ
Packages | Version | New capabilities | Transitives | Size | Publisher |
---|---|---|---|---|---|
sharp | 0.27.2...0.32.6 | None | +15/-28 |
1.47 MB | lovell |
π¨ Potential security issues detected. Learn more about Socket for GitHub βοΈ
To accept the risk, merge this PR and you will not be notified again.
Issue | Package | Version | Note | Source |
---|---|---|---|---|
Bin script shell injection | npm | 6.14.12 |
|
This package re-exports a well known shell command via an npm bin script. This is possibly a supply chain attack
Packages should not export bin scripts which conflict with well known shell commands
Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.
If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.
To ignore an alert, reply with a comment starting with @SocketSecurity ignore
followed by a space separated list of package-name@version
specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@*
or ignore all packages with @SocketSecurity ignore-all
@SocketSecurity ignore npm@6.14.12
This PR contains the following updates:
^0.27.2
->^0.32.0
GitHub Vulnerability Alerts
CVE-2022-29256
There's a possible vulnerability in logic that is run only at
npm install
time when installing versions ofsharp
prior to the latest v0.30.5.This is not part of any runtime code, does not affect Windows users at all, and is unlikely to affect anyone that already cares about the security of their build environment. However, out of an abundance of caution, I've created this advisory.
If an attacker has the ability to set the value of the
PKG_CONFIG_PATH
environment variable in a build environment then they might be able to use this to inject an arbitrary command atnpm install
time.I've used the Common Vulnerability Scoring System (CVSS) calculator to determine the maximum possible impact, which suggests a "medium" score of 5.9, but for most people the real impact will be dealing with the noise from automated security tooling that this advisory will bring.
AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:R/MS:X/MC:X/MI:X/MA:X
This problem was fixed in commit a6aeef6 and published as part of
sharp
v0.30.5.Thank you very much to @dwisiswant0 for the responsible disclosure.
Remember: if an attacker has control over environment variables in your build environment then you have a bigger problem to deal with than this issue.
GHSA-54xq-cgqr-rpm3
Overview
sharp uses libwebp to decode WebP images and versions prior to the latest 0.32.6 are vulnerable to the high severity https://github.com/advisories/GHSA-j7hp-h8jx-5ppr.
Who does this affect?
Almost anyone processing untrusted input with versions of sharp prior to 0.32.6.
How to resolve this?
Using prebuilt binaries provided by sharp?
Most people rely on the prebuilt binaries provided by sharp.
Please upgrade sharp to the latest 0.32.6, which provides libwebp 1.3.2.
Using a globally-installed libvips?
Please ensure you are using the latest libwebp 1.3.2.
Possible workaround
Add the following to your code to prevent sharp from decoding WebP images.
Release Notes
lovell/sharp (sharp)
### [`v0.32.6`](https://togithub.com/lovell/sharp/compare/v0.32.5...v0.32.6) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.32.5...v0.32.6) ### [`v0.32.5`](https://togithub.com/lovell/sharp/compare/v0.32.4...v0.32.5) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.32.4...v0.32.5) ### [`v0.32.4`](https://togithub.com/lovell/sharp/compare/v0.32.3...v0.32.4) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.32.3...v0.32.4) ### [`v0.32.3`](https://togithub.com/lovell/sharp/compare/v0.32.2...v0.32.3) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.32.2...v0.32.3) ### [`v0.32.2`](https://togithub.com/lovell/sharp/compare/v0.32.1...v0.32.2) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.32.1...v0.32.2) ### [`v0.32.1`](https://togithub.com/lovell/sharp/compare/v0.32.0...v0.32.1) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.32.0...v0.32.1) ### [`v0.32.0`](https://togithub.com/lovell/sharp/compare/v0.31.3...v0.32.0) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.31.3...v0.32.0) ### [`v0.31.3`](https://togithub.com/lovell/sharp/compare/v0.31.2...v0.31.3) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.31.2...v0.31.3) ### [`v0.31.2`](https://togithub.com/lovell/sharp/compare/v0.31.1...v0.31.2) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.31.1...v0.31.2) ### [`v0.31.1`](https://togithub.com/lovell/sharp/compare/v0.31.0...v0.31.1) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.31.0...v0.31.1) ### [`v0.31.0`](https://togithub.com/lovell/sharp/compare/v0.30.7...v0.31.0) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.30.7...v0.31.0) ### [`v0.30.7`](https://togithub.com/lovell/sharp/compare/v0.30.6...v0.30.7) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.30.6...v0.30.7) ### [`v0.30.6`](https://togithub.com/lovell/sharp/compare/v0.30.5...v0.30.6) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.30.5...v0.30.6) ### [`v0.30.5`](https://togithub.com/lovell/sharp/compare/v0.30.4...v0.30.5) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.30.4...v0.30.5) ### [`v0.30.4`](https://togithub.com/lovell/sharp/compare/v0.30.3...v0.30.4) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.30.3...v0.30.4) ### [`v0.30.3`](https://togithub.com/lovell/sharp/compare/v0.30.2...v0.30.3) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.30.2...v0.30.3) ### [`v0.30.2`](https://togithub.com/lovell/sharp/compare/v0.30.1...v0.30.2) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.30.1...v0.30.2) ### [`v0.30.1`](https://togithub.com/lovell/sharp/compare/v0.30.0...v0.30.1) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.30.0...v0.30.1) ### [`v0.30.0`](https://togithub.com/lovell/sharp/compare/v0.29.3...v0.30.0) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.29.3...v0.30.0) ### [`v0.29.3`](https://togithub.com/lovell/sharp/compare/v0.29.2...v0.29.3) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.29.2...v0.29.3) ### [`v0.29.2`](https://togithub.com/lovell/sharp/compare/v0.29.1...v0.29.2) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.29.1...v0.29.2) ### [`v0.29.1`](https://togithub.com/lovell/sharp/compare/v0.29.0...v0.29.1) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.29.0...v0.29.1) ### [`v0.29.0`](https://togithub.com/lovell/sharp/compare/v0.28.3...v0.29.0) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.28.3...v0.29.0) ### [`v0.28.3`](https://togithub.com/lovell/sharp/compare/v0.28.2...v0.28.3) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.28.2...v0.28.3) ### [`v0.28.2`](https://togithub.com/lovell/sharp/compare/v0.28.1...v0.28.2) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.28.1...v0.28.2) ### [`v0.28.1`](https://togithub.com/lovell/sharp/compare/v0.28.0...v0.28.1) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.28.0...v0.28.1) ### [`v0.28.0`](https://togithub.com/lovell/sharp/compare/v0.27.2...v0.28.0) [Compare Source](https://togithub.com/lovell/sharp/compare/v0.27.2...v0.28.0)Configuration
π Schedule: Branch creation - "" in timezone Europe/Moscow, Automerge - At any time (no schedule defined).
π¦ Automerge: Enabled.
β» Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.