security fix: upgrade sharp version to 0.32.6 #361
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
|
Thanks, we might want to upgrade to latest. There were some issues w/ nextjs + sharp on 14.0.5, but should have been fixed post that. |
Sounds good. Done ✅ |
khuezy
approved these changes
Feb 12, 2024
|
@khuezy do you have an idea when this will get merged and released? |
|
I'll do a patch now, please open a ticket if this causes some issues. (Make sure your images are properly optimized to webp.) |
|
Released. For context, this would only affect people who have a "*" in their image optimization whitelist configuration (an anti-pattern) |
|
@patrickufer did you notice any errors in the image optimization logs? |
|
FYI, the latest sharp is broken :( |
|
@khuezy @patrickufer just wanted to confirm that the latest sharp version is broken with Next 14.1 It works with the env var |
|
This might be potentially fixed with 14.1.1 (canary 11+) |
conico974
added a commit
that referenced
this pull request
Mar 11, 2024
commit ff37de2 Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed Mar 6 15:37:07 2024 +0100 Version Packages (#378) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> commit 3235392 Author: Iakhub Seitasanov <seitasanov.yahub@gmail.com> Date: Wed Mar 6 17:29:46 2024 +0300 fix: prevent duplication of location header (#369) * fix: prevent duplication of location header * changeset * fix linting --------- Co-authored-by: conico974 <nicodorseuil@yahoo.fr> commit af2d3ce Author: Chung Wei Leong <15154097+chungweileong94@users.noreply.github.com> Date: Wed Mar 6 22:06:33 2024 +0800 Fix image optimization support for Next 14.1.1 (#377) * Move image optimization to plugin * Refactor image optimization code * Added image optimization plugin for 14.1.1 * Fix image optimization plugin * Add changeset * Revert default sharp version to 0.32.6 * e2e test for image optimization * change one of the test to use an external image --------- Co-authored-by: Dorseuil Nicolas <nicodorseuil@yahoo.fr> commit 3deb202 Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue Feb 13 08:39:35 2024 -0800 Version Packages (#363) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> commit f9b90b6 Author: khuezy <khuezy.nguyen@gmail.com> Date: Tue Feb 13 08:35:10 2024 -0800 changeset/2.3.6 (#362) commit 40c2b36 Author: Patrick Ufer <46608534+patrickufer@users.noreply.github.com> Date: Tue Feb 13 09:23:40 2024 -0700 security fix: upgrade sharp version to 0.32.6 (#361) * upgrade sharp version commit 63fab05 Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri Feb 2 00:14:11 2024 +0100 Version Packages (#359) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> commit c80f1be Author: conico974 <nicodorseuil@yahoo.fr> Date: Fri Feb 2 00:00:56 2024 +0100 Fix trailing slash redirect to external domain (#358) * fix trailing slash redirect to external domain * changeset commit 186e28f Author: Jaden VanEckhout <jadenv@users.noreply.github.com> Date: Thu Feb 1 16:49:14 2024 -0600 fix(open-next): correctly set cache control for html pages (#353) * fix(open-next): correctly set cache control for html pages * changeset --------- Co-authored-by: conico974 <nicodorseuil@yahoo.fr> commit b9eefca Author: Manuel Antunes <57446204+Manuel-Antunes@users.noreply.github.com> Date: Thu Feb 1 19:41:47 2024 -0300 Fix Cache Support for Next@14.1.0 (#356) * feat: add cache support for next@14.1.0 * fix: lint files * chore: apply the proposed changes * Fix typo * changeset --------- Co-authored-by: conico974 <nicodorseuil@yahoo.fr> commit afd9605 Author: conico974 <nicodorseuil@yahoo.fr> Date: Sat Jan 27 15:19:11 2024 +0100 update docs for V3 (#351) commit 46241fe Author: Abhishek Malik <abhimskywalker@users.noreply.github.com> Date: Sat Jan 27 19:45:18 2024 +0530 Update bundle_size.mdx for excluding pdfjs-dist optional dependency docs (#346) * Update bundle_size.mdx for excluding pdfjs-dist optional dependency docs The current fix didn't work, but this updated fix did work for me. Hence proposing this as another solution. * Update docs/pages/common_issues/bundle_size.mdx Co-authored-by: khuezy <khuezy.nguyen@gmail.com> --------- Co-authored-by: khuezy <khuezy.nguyen@gmail.com> commit 9a6473a Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri Jan 5 16:56:42 2024 +0100 Version Packages (#345) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> commit bbf9b30 Author: Lucas Vieira <lucas.vieira94@outlook.com> Date: Fri Jan 5 12:45:13 2024 -0300 fix(open-next): use dynamic import handler for monorepo entrypoint (#341) * fix(open-next): use dynamic import handler for monorepo entrypoint * changeset --------- Co-authored-by: Dorseuil Nicolas <nicodorseuil@yahoo.fr> commit 83b0838 Author: santiperone <sdperone97@gmail.com> Date: Fri Jan 5 12:38:12 2024 -0300 add suport for bun lockfile in monorepo (#337) * add suport for bun lockfile in monorepo * changeset --------- Co-authored-by: Dorseuil Nicolas <nicodorseuil@yahoo.fr> commit e773e67 Author: Jan Stevens <JanStevens@users.noreply.github.com> Date: Fri Jan 5 16:31:27 2024 +0100 fix: try to match errors, fall back to just adding raw key / value pare (#336) * fix: try to match errors, fall back to just adding raw key / value pair instead * changeset * fix lint --------- Co-authored-by: Dorseuil Nicolas <nicodorseuil@yahoo.fr> commit fd90b26 Author: Dylan Irion <61515823+dylanirion@users.noreply.github.com> Date: Fri Jan 5 17:22:28 2024 +0200 Changes encoding on cache.body from utf8 to base64 (#329) * changes encoding on cache.body from utf8 to base64 * retain utf8 for json content-type * opting for less greedy base64 * use isBinaryContentType * changeset --------- Co-authored-by: Dorseuil Nicolas <nicodorseuil@yahoo.fr> commit eb08980 Author: sommeeeR <91796856+sommeeeer@users.noreply.github.com> Date: Fri Jan 5 16:02:47 2024 +0100 fix: make invalidateCFPaths function async in docs (#344) commit 83207d8 Author: conico974 <nicodorseuil@yahoo.fr> Date: Thu Dec 14 16:59:15 2023 +0100 updated docs for v3 (#334) commit 0e827ce Author: conico974 <nicodorseuil@yahoo.fr> Date: Fri Dec 8 17:57:51 2023 +0100 ci: update node e2e commit 36da819 Author: conico974 <nicodorseuil@yahoo.fr> Date: Thu Dec 7 17:44:06 2023 +0100 Initial docs for V3 (#330) * docs for V3 * fix link * clearer routes in config
conico974
added a commit
that referenced
this pull request
May 3, 2024
* created basic config file * basic wrapper and converter implementation * Minimal response writable * build config * change response to transform to allow to use pipeline * fix streaming for v3 * compression support * better docker handler * add converter for apigw-v1 & cloudfront * overridable queue * overridable s3 cache * overridable tag cache * prebuild middleware * refactor routing and middleware * big refactoring moved files around so that it makes more sense deleted a bunch of useless files added todo to remind myself of what i still need to do * refactor: cleanup plugins added a deletes options in open-next plugin * make other lambdas overridable as well * externalMiddleware * improve plugins * fix proxy request and make it work with streaming * bugfix * fix host * refactor wrapper * generate basic dockerfile * Only build open-next config once * generate basic output file for IAC to use * basic splitting * bundled next server * fix external middleware cloudfront * fix image adapter rebase * couple of fix for node * package version * support for warmer with splitted fn * basic support for edge runtime There is some restriction: Only 1 route per function Support only app route and page No streaming * external middleware support rewrite between splitted servers * fix alias * update package.json * use AsyncLocalStorage to scope lastModified to a single request * merge upstream/main * Add basic validation * fix EISDIR issue with copying traced symlink * added override name to the output for better IAC support * rename BuildOptions remove some unused options properly handle minify * normalize locale path before passing to middleware * Copy necessary static files * fix issues with fallback and i18n in page router * Add a big warning for build on windows * fix for cloudflare workers * add wasm fils and assets * fix 14.1 cache * fix wasm import node * update version * merge upstream * make open-next.config.ts optional * Fix cannot write default config file b/c folder not created (#364) * Fix cannot write default config file b/c folder not created * Removed copyTracedFiles debug log * fix for monorepo * fix for output for dynamodb provider * fix dynamoProvider, skipTrailingSlash, weird ISR deduplication issue * little improvement to streaming in lambda * fix another monorepo error * e2e fixes for v3 rc * update version * Not use custom-resource converter for dynamodb seeding adapter (#365) * Not use custom-resource converter for dynamodb seeding adapter * fix e2e --------- Co-authored-by: Dorseuil Nicolas <nicodorseuil@yahoo.fr> * fix fallback false for route without i18n * version package update * Squashed commit of the following: commit ff37de2 Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed Mar 6 15:37:07 2024 +0100 Version Packages (#378) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> commit 3235392 Author: Iakhub Seitasanov <seitasanov.yahub@gmail.com> Date: Wed Mar 6 17:29:46 2024 +0300 fix: prevent duplication of location header (#369) * fix: prevent duplication of location header * changeset * fix linting --------- Co-authored-by: conico974 <nicodorseuil@yahoo.fr> commit af2d3ce Author: Chung Wei Leong <15154097+chungweileong94@users.noreply.github.com> Date: Wed Mar 6 22:06:33 2024 +0800 Fix image optimization support for Next 14.1.1 (#377) * Move image optimization to plugin * Refactor image optimization code * Added image optimization plugin for 14.1.1 * Fix image optimization plugin * Add changeset * Revert default sharp version to 0.32.6 * e2e test for image optimization * change one of the test to use an external image --------- Co-authored-by: Dorseuil Nicolas <nicodorseuil@yahoo.fr> commit 3deb202 Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue Feb 13 08:39:35 2024 -0800 Version Packages (#363) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> commit f9b90b6 Author: khuezy <khuezy.nguyen@gmail.com> Date: Tue Feb 13 08:35:10 2024 -0800 changeset/2.3.6 (#362) commit 40c2b36 Author: Patrick Ufer <46608534+patrickufer@users.noreply.github.com> Date: Tue Feb 13 09:23:40 2024 -0700 security fix: upgrade sharp version to 0.32.6 (#361) * upgrade sharp version commit 63fab05 Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri Feb 2 00:14:11 2024 +0100 Version Packages (#359) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> commit c80f1be Author: conico974 <nicodorseuil@yahoo.fr> Date: Fri Feb 2 00:00:56 2024 +0100 Fix trailing slash redirect to external domain (#358) * fix trailing slash redirect to external domain * changeset commit 186e28f Author: Jaden VanEckhout <jadenv@users.noreply.github.com> Date: Thu Feb 1 16:49:14 2024 -0600 fix(open-next): correctly set cache control for html pages (#353) * fix(open-next): correctly set cache control for html pages * changeset --------- Co-authored-by: conico974 <nicodorseuil@yahoo.fr> commit b9eefca Author: Manuel Antunes <57446204+Manuel-Antunes@users.noreply.github.com> Date: Thu Feb 1 19:41:47 2024 -0300 Fix Cache Support for Next@14.1.0 (#356) * feat: add cache support for next@14.1.0 * fix: lint files * chore: apply the proposed changes * Fix typo * changeset --------- Co-authored-by: conico974 <nicodorseuil@yahoo.fr> commit afd9605 Author: conico974 <nicodorseuil@yahoo.fr> Date: Sat Jan 27 15:19:11 2024 +0100 update docs for V3 (#351) commit 46241fe Author: Abhishek Malik <abhimskywalker@users.noreply.github.com> Date: Sat Jan 27 19:45:18 2024 +0530 Update bundle_size.mdx for excluding pdfjs-dist optional dependency docs (#346) * Update bundle_size.mdx for excluding pdfjs-dist optional dependency docs The current fix didn't work, but this updated fix did work for me. Hence proposing this as another solution. * Update docs/pages/common_issues/bundle_size.mdx Co-authored-by: khuezy <khuezy.nguyen@gmail.com> --------- Co-authored-by: khuezy <khuezy.nguyen@gmail.com> commit 9a6473a Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri Jan 5 16:56:42 2024 +0100 Version Packages (#345) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> commit bbf9b30 Author: Lucas Vieira <lucas.vieira94@outlook.com> Date: Fri Jan 5 12:45:13 2024 -0300 fix(open-next): use dynamic import handler for monorepo entrypoint (#341) * fix(open-next): use dynamic import handler for monorepo entrypoint * changeset --------- Co-authored-by: Dorseuil Nicolas <nicodorseuil@yahoo.fr> commit 83b0838 Author: santiperone <sdperone97@gmail.com> Date: Fri Jan 5 12:38:12 2024 -0300 add suport for bun lockfile in monorepo (#337) * add suport for bun lockfile in monorepo * changeset --------- Co-authored-by: Dorseuil Nicolas <nicodorseuil@yahoo.fr> commit e773e67 Author: Jan Stevens <JanStevens@users.noreply.github.com> Date: Fri Jan 5 16:31:27 2024 +0100 fix: try to match errors, fall back to just adding raw key / value pare (#336) * fix: try to match errors, fall back to just adding raw key / value pair instead * changeset * fix lint --------- Co-authored-by: Dorseuil Nicolas <nicodorseuil@yahoo.fr> commit fd90b26 Author: Dylan Irion <61515823+dylanirion@users.noreply.github.com> Date: Fri Jan 5 17:22:28 2024 +0200 Changes encoding on cache.body from utf8 to base64 (#329) * changes encoding on cache.body from utf8 to base64 * retain utf8 for json content-type * opting for less greedy base64 * use isBinaryContentType * changeset --------- Co-authored-by: Dorseuil Nicolas <nicodorseuil@yahoo.fr> commit eb08980 Author: sommeeeR <91796856+sommeeeer@users.noreply.github.com> Date: Fri Jan 5 16:02:47 2024 +0100 fix: make invalidateCFPaths function async in docs (#344) commit 83207d8 Author: conico974 <nicodorseuil@yahoo.fr> Date: Thu Dec 14 16:59:15 2023 +0100 updated docs for v3 (#334) commit 0e827ce Author: conico974 <nicodorseuil@yahoo.fr> Date: Fri Dec 8 17:57:51 2023 +0100 ci: update node e2e commit 36da819 Author: conico974 <nicodorseuil@yahoo.fr> Date: Thu Dec 7 17:44:06 2023 +0100 Initial docs for V3 (#330) * docs for V3 * fix link * clearer routes in config * fix for next 12 * add support for basePath * allow customization of sharp runtime * updated edge converter to match behaviour of lambda * update version * fix monorepo * improved streaming aws/aws-lambda-nodejs-runtime-interface-client#94 (comment) * update version * fix open-next config build that depends on node * fix crypto middleware node 20 * Sync * fix resolve in image optimization also fix image opt not using streaming * add better error when edge runtime is used inside node * update version * fix null error on lambda hopefully * update version * fix 500 on aws-lambda wrapper * update version * fix duplex for request in node * fix & refactor middleware response headers * update version * Sync * update version * removed specific lamda streaming hack It's been fixed upstream * add geo in middleware * added helpers function for config file Better typing as well * fix for 14.2 * update version * fix redirect lambda streaming * fix e2e tests * test: improve reliability of test for revalidateTag * update version * review fix * fix cookies in streaming also fix an issue when both middleware and page try to set cookies OpenNextNodeResponse also implements ServerResponse * make all write to ddb chunked * changeset * fix e2e --------- Co-authored-by: Frank <wangfanjie@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
AWS Security Hub throws a HIGH-level severity finding on the image optimization lambda resource regarding the version of
sharp.Installed version: 0.32.5
Fixed version: 0.32.6
GHSA-54xq-cgqr-rpm3
CVE-2023-4863 - sharp
This PR bumps the installed version of sharp in the build step to the minimum fixed version
0.32.6, but if desired we can upgrade to the latest version at the time of writing0.33.2