search

sst / open-next

Open source Next.js serverless adapter
https://open-next.js.org
MIT License
3.73k stars 112 forks source link

security fix: upgrade sharp version to 0.32.6 #361

Closed patrickufer closed 5 months ago

patrickufer commented 5 months ago

AWS Security Hub throws a HIGH-level severity finding on the image optimization lambda resource regarding the version of sharp.

Installed version: 0.32.5 Fixed version: 0.32.6

GHSA-54xq-cgqr-rpm3 CVE-2023-4863 - sharp

This PR bumps the installed version of sharp in the build step to the minimum fixed version 0.32.6, but if desired we can upgrade to the latest version at the time of writing 0.33.2

changeset-bot[bot] commented 5 months ago

⚠️ No Changeset found

Latest commit: 55f3f5f25756e7b673177fc70d138ebbbeb5981c

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

vercel[bot] commented 5 months ago

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
open-next ✅ Ready (Inspect) Visit Preview 💬 Add feedback Feb 12, 2024 8:58pm
khuezy commented 5 months ago

Thanks, we might want to upgrade to latest. There were some issues w/ nextjs + sharp on 14.0.5, but should have been fixed post that.

patrickufer commented 5 months ago

Thanks, we might want to upgrade to latest. There were some issues w/ nextjs + sharp on 14.0.5, but should have been fixed post that.

Sounds good. Done ✅

patrickufer commented 5 months ago

@khuezy do you have an idea when this will get merged and released?

khuezy commented 5 months ago

I'll do a patch now, please open a ticket if this causes some issues. (Make sure your images are properly optimized to webp.)

khuezy commented 5 months ago

Released. For context, this would only affect people who have a "*" in their image optimization whitelist configuration (an anti-pattern)

khuezy commented 5 months ago

@patrickufer did you notice any errors in the image optimization logs?

khuezy commented 4 months ago

FYI, the latest sharp is broken :(

alacroix commented 4 months ago

@khuezy @patrickufer just wanted to confirm that the latest sharp version is broken with Next 14.1

It works with the env var SHARP_VERSION=0.32.6 override during the build though

khuezy commented 4 months ago

This might be potentially fixed with 14.1.1 (canary 11+)