Skip to content

[Snyk] Upgrade sharp from 0.33.5 to 0.34.5 #65

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Sunwuyuan wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[Snyk] Upgrade sharp from 0.33.5 to 0.34.5 #65

Sunwuyuan wants to merge 1 commit into from

Conversation

@Sunwuyuan
Copy link
Member

@Sunwuyuan Sunwuyuan commented Dec 10, 2025

snyk-top-banner

Snyk has created this PR to upgrade sharp from 0.33.5 to 0.34.5.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

  • The recommended version is 15 versions ahead of your current version.

  • The recommended version was released a month ago.

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
high severity Uncaught Exception
SNYK-JS-MULTER-10773732		 666 No Known Exploit
high severity Incomplete Filtering of One or More Instances of Special Elements
SNYK-JS-VALIDATOR-13653476		 666 Proof of Concept
medium severity Allocation of Resources Without Limits or Throttling
SNYK-JS-AXIOS-12613773		 666 Proof of Concept
medium severity Allocation of Resources Without Limits or Throttling
SNYK-JS-BODYPARSER-14105059		 666 No Known Exploit
medium severity Prototype Pollution
SNYK-JS-EXPRESS-14157151		 666 No Known Exploit
medium severity Improper Handling of Unexpected Data Type
SNYK-JS-ONHEADERS-10773729		 666 No Known Exploit
medium severity Improper Validation of Specified Type of Input
SNYK-JS-VALIDATOR-13395830		 666 Proof of Concept
low severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-BRACEEXPANSION-9789073		 666 Proof of Concept
low severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-BRACEEXPANSION-9789073		 666 Proof of Concept
critical severity Predictable Value Range from Previous Values
SNYK-JS-FORMDATA-10841150		 666 Proof of Concept
Release notes
Package name: sharp
  • 0.34.5 - 2025-11-06

    • Upgrade to libvips v8.17.3 for upstream bug fixes.

    • Add experimental support for prebuilt Linux RISC-V 64-bit binaries.

    • Support building from source with npm v12+, deprecate --build-from-source flag.
      #4458

    • Add support for BigTIFF output.
      #4459
      @ throwbi

    • Improve error messaging when only warnings issued.
      #4465

    • Simplify ICC processing when retaining input profiles.
      #4468

  • 0.34.5-rc.1 - 2025-11-06

    • Upgrade to libvips v8.17.3 for upstream bug fixes.

    • Add experimental support for prebuilt Linux RISC-V 64-bit binaries.

    • Support building from source with npm v12+, deprecate --build-from-source flag.
      #4458

    • Add support for BigTIFF output.
      #4459
      @ throwbi

    • Improve error messaging when only warnings issued.
      #4465

    • Simplify ICC processing when retaining input profiles.
      #4468

  • 0.34.5-rc.0 - 2025-11-05

    • Upgrade to libvips v8.17.3 for upstream bug fixes.

    • Add experimental support for prebuilt Linux RISC-V 64-bit binaries.

    • Support building from source with npm v12+, deprecate --build-from-source flag.
      #4458

    • Add support for BigTIFF output.
      #4459
      @ throwbi

    • Improve error messaging when only warnings issued.
      #4465

    • Simplify ICC processing when retaining input profiles.
      #4468

  • 0.34.4 - 2025-09-17

    • Upgrade to libvips v8.17.2 for upstream bug fixes.

    • Ensure TIFF subifd and OpenSlide level input options are respected (regression in 0.34.3).

    • Ensure autoOrient occurs before non-90 angle rotation.
      #4425

    • Ensure autoOrient removes existing metadata after shrink-on-load.
      #4431

    • TypeScript: Ensure KernelEnum includes linear.
      #4441
      @ BayanBennett

    • Ensure unlimited flag is passed upstream when reading TIFF images.
      #4446

    • Support Electron memory cage when reading XMP metadata (regression in 0.34.3).
      #4451

    • Add sharp-libvips rpath for yarn v5 support.
      #4452
      @ arcanis

  • 0.34.4-rc.4 - 2025-09-17

    • Upgrade to libvips v8.17.2 for upstream bug fixes.

    • Ensure TIFF subifd and OpenSlide level input options are respected (regression in 0.34.3).

    • Ensure autoOrient occurs before non-90 angle rotation.
      #4425

    • Ensure autoOrient removes existing metadata after shrink-on-load.
      #4431

    • TypeScript: Ensure KernelEnum includes linear.
      #4441
      @ BayanBennett

    • Ensure unlimited flag is passed upstream when reading TIFF images.
      #4446

    • Support Electron memory cage when reading XMP metadata (regression in 0.34.3).
      #4451

    • Add sharp-libvips rpath for yarn v5 support.
      #4452
      @ arcanis

  • 0.34.4-rc.3 - 2025-09-15

    • Upgrade to libvips v8.17.2 for upstream bug fixes.

    • Ensure autoOrient occurs before non-90 angle rotation.
      #4425

    • Ensure autoOrient removes existing metadata after shrink-on-load.
      #4431

    • TypeScript: Ensure KernelEnum includes linear.
      #4441
      @ BayanBennett

    • Ensure unlimited flag is passed upstream when reading TIFF images.
      #4446

    • Support Electron memory cage when reading XMP metadata (regression in 0.34.3).
      #4451

    • Add sharp-libvips rpath for yarn v5 support.
      #4452
      @ arcanis

  • 0.34.3 - 2025-07-10
    No content.
  • 0.34.3-rc.1 - 2025-07-09
  • 0.34.3-rc.0 - 2025-06-14
  • 0.34.2 - 2025-05-20
  • 0.34.2-rc.0 - 2025-05-14
  • 0.34.1 - 2025-04-07
  • 0.34.0 - 2025-04-04
  • 0.34.0-rc.1 - 2025-04-03
  • 0.34.0-rc.0 - 2025-03-16
  • 0.33.5 - 2024-08-16
from sharp GitHub release notes

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • This PR was automatically created by Snyk using the credentials of a real user.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

@snyk-bot
fix: upgrade sharp from 0.33.5 to 0.34.5
7bbf1e8 
Snyk has created this PR to upgrade sharp from 0.33.5 to 0.34.5.

See this package in npm:
sharp

See this project in Snyk:
https://app.snyk.io/org/sunwuyuan/project/7f95d725-ca6f-4cce-ab56-8b055b9f632f?utm_source=github&utm_medium=referral&page=upgrade-pr
Copilot AI review requested due to automatic review settings December 10, 2025 08:48
@vercel
Copy link

vercel bot commented Dec 10, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
our-world Error Error Dec 10, 2025 8:48am

Copilot AI reviewed Dec 10, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR upgrades the sharp image processing library from version 0.34.3 to 0.34.5 to address security vulnerabilities in transitive dependencies. The upgrade is a patch version bump within the 0.34.x series, which according to semver should maintain backward compatibility. The change affects image processing functionality used in src/services/assets.js.

Key Changes:

  • Bump sharp dependency from ^0.34.3 to ^0.34.5 in package.json

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@claude
Copy link

claude bot commented Dec 10, 2025

Pull Request Review: Upgrade sharp from 0.34.3 to 0.34.5

Overview

This PR upgrades the sharp image processing library from version 0.34.3 to 0.34.5. This is a security-focused dependency upgrade.

Security Considerations - POSITIVE

  • Fixes 10 security vulnerabilities (2 HIGH, 5 MEDIUM, 2 LOW, 1 CRITICAL)
  • Addresses issues in multer, validator, axios, body-parser, express, and form-data
  • Security upgrade should be merged promptly

Code Quality - POSITIVE

  • Minimal change (single line in package.json)
  • Follows semantic versioning (patch release)
  • Codebase uses sharp extensively in src/services/assets.js with proper error handling

Potential Issues

  • Version 0.34.5 upgrades to libvips v8.17.3 which may have subtle changes
  • Code at line 222 in assets.js relies on Sharp default ICC behavior - validate after upgrade
  • CRITICAL: Repository has no test suite - image processing failures could go undetected

Test Coverage - CRITICAL GAPS

  • No automated tests for image processing
  • No tests for avatar upload/resize
  • No tests for format conversion or file validation
  • Manual testing required before deployment

Recommendations

IMMEDIATE:

  1. MERGE THIS PR for security fixes
  2. Manual test: image uploads, avatar processing, format conversion before deploying

FOLLOW-UP:
3. Add integration tests for image processing
4. Run pnpm audit to verify vulnerabilities resolved
5. Add monitoring for Sharp processing errors

Final Verdict: APPROVE with CONDITIONS

Risk Level: LOW - Sharp has excellent backward compatibility
Action Required: Manual testing before production deployment

@claude
Copy link

claude bot commented Dec 10, 2025

Pull Request Review: Sharp Upgrade from 0.33.5 to 0.34.5

Summary

This PR upgrades the sharp image processing library from version 0.33.5 to 0.34.5, spanning 15 versions. This is a security and maintenance update that addresses multiple vulnerabilities while introducing several improvements.

Code Quality and Best Practices

✅ Positive Aspects

  • Automated dependency management: Using Snyk for automated security updates is excellent practice
  • Minimal change scope: Single dependency update reduces risk
  • Version jump rationale: The upgrade addresses 10 security vulnerabilities (2 high, 4 medium, 3 low, 1 critical)

⚠️ Considerations

  • Large version jump: 15 versions is substantial (0.33.5 → 0.34.5)
  • Breaking changes potential: Major version changes (0.33 → 0.34) may introduce breaking changes
  • No test suite: The repository has no automated tests (npm test returns error, no test files found)

Potential Bugs or Issues

🔴 Critical Concerns

1. Sharp API Compatibility

The codebase uses sharp extensively in src/services/assets.js:6 with the following operations:

  • withMetadata() (lines 219, 301) - ICC profile handling was simplified in v0.34.5
  • Image processing with quality settings
  • Format conversions (webp, jpeg, png, avif)
  • Metadata manipulation

Risk: The v0.34.5 release notes mention "Simplify ICC processing when retaining input profiles" which could affect the withMetadata() calls.

Code Location: src/services/assets.js:219, src/services/assets.js:301

Recommendation: Test image processing thoroughly, especially:

  • Images with ICC color profiles
  • EXIF metadata removal (used for sanitization)
  • Various input formats (JPEG, PNG, WebP, SVG)

2. Build System Compatibility

Sharp v0.34.5 deprecates the --build-from-source flag and updates to libvips v8.17.3.

Risk:

  • Installation failures in CI/CD or production environments
  • Platform-specific binary compatibility issues
  • Docker build issues

Security Concerns

✅ Security Improvements

This upgrade fixes 10 vulnerabilities including:

Critical Severity (1):

  • SNYK-JS-FORMDATA-10841150 - Predictable value range (PoC exists)

High Severity (2):

  • SNYK-JS-MULTER-10773732 - Uncaught Exception
  • SNYK-JS-VALIDATOR-13653476 - Incomplete Filtering of Special Elements (PoC exists)

Medium Severity (4):

  • Resource allocation issues in axios, body-parser
  • Prototype Pollution in express
  • Improper validation issues

⚠️ Security Notes

  1. Indirect vulnerabilities: Most vulnerabilities are in transitive dependencies, not sharp itself
  2. Update verification needed: Verify vulnerabilities are actually resolved after installation
  3. Image processing security: Sharp handles user-uploaded images - ensure no new attack vectors

Performance Considerations

Potential Improvements

  • libvips v8.17.3: Upstream bug fixes may improve performance
  • ICC profile handling: Simplified processing could be faster
  • BigTIFF support: New feature for handling larger files

📊 Performance Testing Recommendations

Test these scenarios with realistic data:

  1. Bulk image uploads - Monitor memory usage and processing time
  2. Large image files - Test files > 5000x5000 pixels
  3. Avatar generation - 512x512 WebP conversion
  4. Concurrent uploads - Multiple simultaneous uploads

Key code paths to benchmark:

  • processImage() - Main image processing function (line 173)
  • uploadFile() - File upload with processing (line 667)

Test Coverage

❌ Critical Issue: No Test Suite

No test files found and npm test returns error.

🚨 Recommendation: Manual Testing Required

Without automated tests, this upgrade MUST be tested manually before merging:

Essential Manual Tests:

  1. Image Upload Tests

    • Upload various formats: JPEG, PNG, GIF, WebP, SVG
    • Upload large images (> 5000px width/height)
    • Upload images with EXIF data
    • Upload images with ICC color profiles

  2. Image Processing Tests

    • Verify WebP conversion works (default format)
    • Test quality settings
    • Verify metadata sanitization
    • Test avatar processing (512x512, 500KB limit)
    • Test size constraints and retry logic

  3. Error Handling Tests

    • Invalid file types
    • Corrupted images
    • Files exceeding size limits
    • Empty files

  4. S3 Integration Tests

    • Verify upload to S3 succeeds
    • Check generated URLs are accessible

Additional Recommendations

1. Installation Testing

pnpm install
node -e "require('sharp')"

2. Dependency Audit

pnpm audit

3. Lock File Update

  • Verify pnpm-lock.yaml is updated and committed

4. Gradual Rollout

  • Deploy to staging environment first
  • Monitor error rates and performance metrics
  • Keep rollback plan ready

Verdict

✅ Approve with Conditions

This PR should be merged for security reasons, but NOT without proper testing.

Before Merging:

  1. Manual testing of all image upload/processing flows
  2. Staging deployment with monitoring
  3. Verify pnpm-lock.yaml is updated
  4. Test on production-like environment
  5. ⚠️ Consider adding basic integration tests for future upgrades

Post-Merge Actions:

  1. Monitor error logs for sharp-related errors
  2. Monitor performance metrics (response times, memory usage)
  3. Have rollback plan ready
  4. Consider adding automated tests to prevent regression

Priority: High

The security vulnerabilities are significant, particularly the critical severity issue in form-data. However, the lack of test coverage makes this a high-risk change that requires careful validation.

Review generated by Claude Code on 2025-12-10

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Sunwuyuan @snyk-bot