[Snyk] Security upgrade sharp from 0.29.3 to 0.30.5 - Githubissues

ever-co / ever-demand

Ever® Demand™ - Open Commerce Platform - https://everdemand.co

https://everdemand.co

GNU Affero General Public License v3.0

1.69k stars 456 forks source link

[Snyk] Security upgrade sharp from 0.29.3 to 0.30.5 #1490

Closed snyk-bot closed 5 months ago

snyk-bot commented 2 years ago

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

merge advice

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- packages/core/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	611/1000 Why? Recently disclosed, Has a fix available, CVSS 6.5	Remote Code Execution (RCE) SNYK-JS-SHARP-2848109	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: sharp

The new version differs by 120 commits.

db654de Release v0.30.5
a6aeef6 Install: pass `PKG_CONFIG_PATH` via env rather than substitution
7bf6cbd Docs: correct links to libvips documentation
04c31b3 Install: warn about filesystem owner running npm v8+ as root
ee9cdb6 Bump deps
8960eb8 Docs: changelog entry for #3218
54d9dc4 Fix rotate-then-extract for EXIF orientation 2 (#3218)
51b4a7c Add support for --libc flag to improve cross-platform install (#3160)
5b03579 Docs: more details about concurrency, parallelism, threads
58c2af3 Docs: improve output format info for toBuffer
ee948ac Docs: changelog and credit for #3196
66a3ce5 Allow installation of prebuilt libvips binary from filesystem (#3196)
75e5afc Docs: fix typo in gif example (#3201)
d396a4e Release v0.30.4
ae1dbcd Bump deps
4c29368 Docs: EXIF metadata unsupported for TIFF output #3074
36e5596 Docs: mention npm's foreground-scripts option to aid debugging
985e881 Bump deps
0b11671 Docs: changelog for #3178
9deac83 Add missing file name to 'Input file is missing' error message (#3178)
5d36f5f Improve error message for SVG render above limit #3167
926572b Control sensitivity to invalid images via failOn
d0c8e95 Docs: expand info about use with worker threads
b0ca23c Docs: changelog and credit for #3146

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

CLAassistant commented 2 years ago

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}