New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(deps): update dependency sharp to 0.32.6 [security] #671
base: main
Are you sure you want to change the base?
Conversation
⚠ Artifact update problemRenovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is. ♻ Renovate will retry this branch, including artifacts, only when one of the following happens:
The artifact failure details are included below: File name: package-lock.json
|
❌ Deploy Preview for apollo-monodocs failed.
|
This update requires moving to Gatsby v5 |
d806c51
to
c0acf2c
Compare
167336d
to
1d25082
Compare
f7948a4
to
996169e
Compare
2c77ba9
to
368c72d
Compare
cd6f441
to
0ce237f
Compare
9b2b747
to
f482b77
Compare
58365f4
to
a8676e9
Compare
c8df648
to
5c326c6
Compare
1e08dfd
to
c405776
Compare
0300e34
to
825bf01
Compare
dc2208d
to
588375a
Compare
72a9192
to
d66ec08
Compare
b7b93cd
to
1752d63
Compare
9a3ce09
to
cbe23d1
Compare
cbe23d1
to
83db8c6
Compare
|
83db8c6
to
5a00cc3
Compare
This PR contains the following updates:
0.29.3
->0.32.6
GitHub Vulnerability Alerts
CVE-2022-29256
There's a possible vulnerability in logic that is run only at
npm install
time when installing versions ofsharp
prior to the latest v0.30.5.This is not part of any runtime code, does not affect Windows users at all, and is unlikely to affect anyone that already cares about the security of their build environment. However, out of an abundance of caution, I've created this advisory.
If an attacker has the ability to set the value of the
PKG_CONFIG_PATH
environment variable in a build environment then they might be able to use this to inject an arbitrary command atnpm install
time.I've used the Common Vulnerability Scoring System (CVSS) calculator to determine the maximum possible impact, which suggests a "medium" score of 5.9, but for most people the real impact will be dealing with the noise from automated security tooling that this advisory will bring.
AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:R/MS:X/MC:X/MI:X/MA:X
This problem was fixed in commit a6aeef6 and published as part of
sharp
v0.30.5.Thank you very much to @dwisiswant0 for the responsible disclosure.
Remember: if an attacker has control over environment variables in your build environment then you have a bigger problem to deal with than this issue.
GHSA-54xq-cgqr-rpm3
Overview
sharp uses libwebp to decode WebP images and versions prior to the latest 0.32.6 are vulnerable to the high severity GHSA-j7hp-h8jx-5ppr.
Who does this affect?
Almost anyone processing untrusted input with versions of sharp prior to 0.32.6.
How to resolve this?
Using prebuilt binaries provided by sharp?
Most people rely on the prebuilt binaries provided by sharp.
Please upgrade sharp to the latest 0.32.6, which provides libwebp 1.3.2.
Using a globally-installed libvips?
Please ensure you are using the latest libwebp 1.3.2.
Possible workaround
Add the following to your code to prevent sharp from decoding WebP images.
Configuration
📅 Schedule: Branch creation - "" in timezone Etc/UTC, Automerge - "after 8am and before 4pm on tuesday" in timezone Etc/UTC.
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.