Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2023-4863 - Upgrade Sharp #3760

Closed
Asheboy opened this issue Oct 19, 2023 · 1 comment · Fixed by #3786
Closed

CVE-2023-4863 - Upgrade Sharp #3760

Asheboy opened this issue Oct 19, 2023 · 1 comment · Fixed by #3786
Assignees
@denolfe
Labels
status: needs-triage Possible bug which hasn't been reproduced yet

Comments

@Asheboy
Copy link

Asheboy commented Oct 19, 2023

Link to reproduction

No response

Describe the Bug

CVE-2023-4863 affects libwebp which, if using the pre-built binaries, affects Sharp. See lovell/sharp#3798 for details.

To Reproduce

I ran npx create-payload-app and the following:

[ 16:05:04 ] ❯ yarn why payload
yarn why v1.22.19
[1/4] Why do we have the module "payload"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "payload@2.0.10"
info Has been hoisted to "payload"
info This module exists because it's specified in "dependencies".
info Disk size without dependencies: "20.28MB"
info Disk size with unique dependencies: "194.75MB"
info Disk size with transitive dependencies: "275.79MB"
info Number of shared dependencies: 187
Done in 1.98s.

✦ [ 15:59:54 ] ❯ yarn why sharp
yarn why v1.22.19
[1/4] Why do we have the module "sharp"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "sharp@0.31.3"
info Reasons this module exists
   - "payload" depends on it
   - Hoisted from "payload#sharp"
info Disk size without dependencies: "17.09MB"
info Disk size with unique dependencies: "18.07MB"
info Disk size with transitive dependencies: "19.53MB"
info Number of shared dependencies: 25
Done in 0.53s.

Payload Version

2.0.10

Adapters and Plugins

sharp
@Asheboy Asheboy added the status: needs-triage Possible bug which hasn't been reproduced yet label Oct 19, 2023
@denolfe denolfe self-assigned this Oct 20, 2023
@denolfe denolfe mentioned this issue Oct 20, 2023
Merged
@denolfe denolfe changed the title CVE-2023-4863 - Upgade Sharp CVE-2023-4863 - Upgrade Sharp Oct 20, 2023
@github-actions GitHub Actions
Copy link

github-actions bot commented Sep 7, 2024

This issue has been automatically locked.
Please open a new issue if this issue persists with any additional detail.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 7, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@denolfe denolfe

Labels
status: needs-triage Possible bug which hasn't been reproduced yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore(deps): bump sharp for CVE-2023-4863 payloadcms/payload
2 participants
@denolfe @Asheboy