[Snyk] Upgrade sharp from 0.32.6 to 0.33.2

[Woodpile37]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to upgrade sharp from 0.32.6 to 0.33.2.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 17 versions ahead of your current version.
• The recommended version was released 23 days ago, on 2024-01-12.

Release notes

Package name: sharp

• 0.33.2 - 2024-01-12
  No content.
• 0.33.2-rc.1 - 2024-01-12
  No content.
• 0.33.2-rc.0 - 2024-01-11
  No content.
• 0.33.1 - 2023-12-17
  No content.
• 0.33.1-rc.3 - 2023-12-17
  No content.
• 0.33.1-rc.2 - 2023-12-17
  No content.
• 0.33.1-rc.0 - 2023-12-12
  No content.
• 0.33.0 - 2023-11-29
  No content.
• 0.33.0-rc.2 - 2023-11-22
  No content.
• 0.33.0-alpha.11 - 2023-11-10
• 0.33.0-alpha.10 - 2023-11-04
• 0.33.0-alpha.9 - 2023-10-13
• 0.33.0-alpha.8 - 2023-10-10
• 0.33.0-alpha.7 - 2023-10-10
• 0.33.0-alpha.6 - 2023-10-09
• 0.33.0-alpha.4 - 2023-10-06
• 0.33.0-alpha.3 - 2023-10-06
• 0.32.6 - 2023-09-18

from sharp GitHub release notes

Commit messages

Package name: sharp

• bcb22af Release v0.33.2
• d04dc62 Prerelease v0.33.2-rc.1
• c30d355 CI: Fix npm smoke test expectation
• 49cb148 Prerelease v0.33.2-rc.0
• 3bc31a8 CI: Verify emscripten versions match
• c28523e CI: Update Emscripten Docker image to 3.1.51 (Navbar Issue nodejs/nodejs.org#3907)
• 278f393 Upgrade to libvips v8.15.1
• cbf68c1 Improve error for unsupported multi-page rotation build(deps): bump prismjs from 1.23.0 to 1.24.0 nodejs/nodejs.org#3940
• 45e8071 Add runtime check for outdated Node.js version
• b96389d Docs: refresh index
• a77ac6a Docs: correct semver for supported Node.js versions (Create njsscan-analysis.yml nodejs/nodejs.org#3937)
• 9bcf399 Ensure extend op stays sequential when copying px Why the BLM donation link was removed? nodejs/nodejs.org#3928
• 4aacee8 Docs: include img-scoped packages in electron asarUnpack
• 0b18aef CI: Remove use of nodesource repos
• bed1c2a Bump deps
• 8cd8326 Docs: add electron to bundlers section
• 0499f59 Docs: add minimum dep versions to build from source
• 1fa59bf Remove any suggestion to --force install
• db40ee6 Docs: add note about Lambda lacking symlink support
• 02b98b8 Issue template: ask for complete error message
• 31fef21 Docs: changelog entry for SPAM nodejs/nodejs.org#3914
• 77ab5d7 TypeScript: add definition for keepMetadata (SPAM nodejs/nodejs.org#3914)
• cd5cf7c Docs: direct cross-platform Lambda users to relevant section
• 39cb9d9 Issue template: yarn pnp is now supported

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[changeset-bot]

⚠️ No Changeset found

Latest commit: d803c2f

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[codeautopilot]

PR summary

The Pull Request upgrades the sharp package from version 0.32.6 to 0.33.2. This update includes a significant number of changes, including new releases and commits that potentially add features, fix bugs, and improve performance. The upgrade spans 17 versions and was released 23 days ago. The sharp package is a high-performance Node.js image processing library used to convert large images in common formats to smaller, web-friendly JPEG, PNG, WebP, GIF, AVIF, and TIFF images of varying dimensions.

Suggestion

While the PR seems to be automatically generated and well-intentioned to keep dependencies up-to-date, it is important to:

1. Review the release notes and commit messages for any breaking changes or important deprecations that could affect the project.
2. Run tests to ensure that the upgrade does not introduce any regressions or incompatibilities.
3. Check if the project's documentation needs to be updated to reflect any new features or changes in behavior resulting from the upgrade.
4. Consider setting up a CI/CD pipeline to automatically test and merge dependency updates if not already in place.

Disclaimer: This comment was entirely generated using AI. Be aware that the information provided may be incorrect.

Current plan usage: 47.13%

Have feedback or need help?
Discord
Documentation
support@codeautopilot.com

[socket-security]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/sharp@0.33.2	environment Transitive: eval, filesystem, shell	+30	180 MB	lovell

View full report↗︎

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source
Install scripts	npm/sharp@0.33.2	Install script: install Source: node install/check	package-lock.json package.json

View full report↗︎

Next steps

What is an install script?

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore npm/sharp@0.33.2