sharp
High performance Node.js image processing, the fastest module to resize JPEG, PNG, WebP, GIF, AVIF and TIFF images
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | no-provenance | AI (provenance): sharp is a long-established, highly trusted package with 58.7M weekly downloads. Lack of Sigstore provenance is not a meaningful risk signal here. | ai | |
| phantom-deps | phantom-dep:node-addon-api | AI (phantom-deps): node-addon-api is used in binding.gyp for native addon compilation, not directly imported in JS. Expected pattern for native bindings. | ai | |
| phantom-deps | phantom-dep:prebuild-install | AI (phantom-deps): prebuild-install is invoked in the install script to fetch prebuilt binaries; not directly require()d. Standard pattern for native addons. | ai | |
| dependencies | unvetted-dep:detect-libc | AI (dependencies): detect-libc is a well-known utility for C library detection, essential for sharp's platform-specific binary selection. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): Spreading process.env into spawnSync for pkg-config is standard for native bindings; not exfiltration. Stable for sharp. | ai | |
| install-scripts | install-script:install | AI (install-scripts): sharp's install script fetches prebuilt libvips binaries or falls back to node-gyp; documented native binding flow. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic requires load vendor version/platform JSON files; standard pattern for native bindings. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process used in libvips.js for build/install tooling; expected for native bindings. | ai |
Versions (showing 6 of 6)
| Version | Deps | Published |
|---|---|---|
| 0.34.1 | 3 / 20 | |
| 0.33.5 | 3 / 21 | |
| 0.33.4 | 3 / 21 | |
| 0.33.2 | 3 / 21 | |
| 0.33.0 | 3 / 21 | |
| 0.32.6 | 8 / 14 |
v0.34.1
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/lovell/sharp/blob/5cae1abe8f0f7b0f28cfe531498458d5bae36639/lib/libvips.js#L135 133 | const globalLibvipsVersion = spawnSync('pkg-config --modversion vips-cpp', { 134 | ...spawnSyncOptions, > 135 | env: { 136 | ...process.env, 137 | PKG_CONFIG_PATH: pkgConfigPath()
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.33.5
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/lovell/sharp/blob/fc32e0bd3f9111b80cf078df7b0cfc355695674e/lib/libvips.js#L133 131 | const globalLibvipsVersion = spawnSync('pkg-config --modversion vips-cpp', { 132 | ...spawnSyncOptions, > 133 | env: { 134 | ...process.env, 135 | PKG_CONFIG_PATH: pkgConfigPath()
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.33.4
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/lovell/sharp/blob/19d0e272e6e9446aa67c20b86e3bb53d1c976ca0/lib/libvips.js#L133 131 | const globalLibvipsVersion = spawnSync('pkg-config --modversion vips-cpp', { 132 | ...spawnSyncOptions, > 133 | env: { 134 | ...process.env, 135 | PKG_CONFIG_PATH: pkgConfigPath()
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.33.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.33.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.32.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.