Move JXL from ALL to WEB group

[fredprodibi]

Hello,

JXL integrated in libvips has been working well for month now.

Would it be possible to add jxl to the web build instead of the all build?

I would make life much easier for integrators that uses libvips.net for example

Thank you

[jcupitt]

Hello @fredprodibi,

We've discussed this a bit. Last time the subject came up (August 2021 I think) we decided that oss-fuzz was still finding quite serious issues in libjxl and that it would be wise to wait a little longer for it to stabilize.

This PR https://github.com/libvips/libvips/pull/2636 has another possible solution: it adds API to let users disable loaders at runtime. We could potentially ship libjxl in -web and users could enable it at runtime if they wished.

@lovell and @kleisauke, do you have an opinion on this?

[fredprodibi]

Enabling it at runtime would be a great solution for me at least

[lovell]

libjxl seems to be much more stable recently, which is great news. I think the current (private) bugs in oss-fuzz are now all memory-related e.g. decoding <1KB input JPEG-XL image consumes >3GB of RAM, which could easily cause a DoS with untrusted input.

We'll also need to assess the increased binary size of adding libjxl so we might want to make this dependent on https://github.com/libvips/libvips/pull/2688

(Should we move this discussion to the https://github.com/libvips/build-win64-mxe repo?)

[kleisauke]

From an browser support perspective, it feels a bit early to include JPEG-XL support in the web variant, as it is not supported by default in modern web browsers. For the same reason, JPEG 2000 support (besides the security issues in OpenJPEG) is also not available in the web variant since it is supported solely by Safari.

From an non-browser support perspective, besides the upstream issues listed in https://github.com/lovell/sharp/issues/2731#issuecomment-847292093 and the concerns in the comment above, I think it is wise to wait for a new release of libjxl, because it requires backporting a lot of patches.

[jcupitt]

git master libvips (will be 8.13) now has a feature to enable or disable loaders at runtime.

https://github.com/libvips/libvips/pull/2636