lovell
CVE-2022-29256 - moderate severity - Possible vulnerability at 'npm install' time if an attacker has control over build environment
There's a possible vulnerability in logic that is run only at npm install time when installing versions of sharp prior to the latest v0.30.5.
An attacker would need to be able to set environment variables in your build environment to take advantage, so this is unlikely to affect most people. This does not affect sharp at runtime. Please see https://github.com/lovell/sharp/security/advisories/GHSA-gp95-ppv5-3jc5 for full details.
Please upgrade to the latest v0.30.5 of sharp where possible. You might be able to run npm audit fix to do this.
If you are using another package which depends on a version of sharp that is not the latest, please open an issue against that package.
If all the above fails, and as a temporary workaround, add the following to your package.json file and run npm install or yarn again.
{
"overrides": {
"sharp": "^0.30.5"
},
"resolutions": {
"sharp": "^0.30.5"
}
}
I don't know what 0.30.5 updated, but I can't install 0.30.5
| gyp info it worked if it ends with ok │ gyp info using [email protected] │ gyp info using [email protected] | win32 | x64 │ gyp ERR! find Python │ gyp ERR! find Python Python is not set from command line or npm configuration │ gyp ERR! find Python Python is not set from environment variable PYTHON │ gyp ERR! find Python checking if "python3" can be used ...
So I still use 0.30.4 now
If you have a problem at install time, please open a new installation issue and answer all of the questions.
https://github.com/lovell/sharp/issues/new?labels=installation&template=installation.md
Closing as this is now 90 days old. Hopefully everyone that had to deal with alerts about this has now had a chance to upgrade.
Remember: if an attacker has control over environment variables in your build environment then you have a bigger problem to deal with than this issue.