Please upgrade sharp to version >0.32.6 due to **security vulnerability**

[jonasgeiler]

🙋 feature request

When using image optimization, parcel currently installs version ^0.31.1 of sharp, as hardcoded here:

parcel/packages/transformers/image/src/loadSharp.js

Line 5 in 38635b5

const SHARP_RANGE = '^0.31.1';

Unfortunately, all versions of sharp below 0.32.6 have a security vulnerability in the libwebp dependency, more information can be found here: GHSA-54xq-cgqr-rpm3
Dependabot and pnpm are constantly reporting this vulnerability, but I can't upgrade to a version above 0.31.3 since that breaks my parcel build (Error: Could not find module "sharp" satisfying ^0.31.1.).

🤔 Expected Behavior

Parcel installs sharp version 0.32.6 or above.

😯 Current Behavior

Parcel install sharp version 0.31.3.

💁 Possible Solution

Bump up the version in this line:

parcel/packages/transformers/image/src/loadSharp.js

Line 5 in 38635b5

const SHARP_RANGE = '^0.31.1';

And maybe check the changelog of sharp to make sure nothing breaks.

🔦 Context

I'm simply trying to make use of the image optimization and resizing feature. I have the following line in my HTML and I'm trying to get it to work: <img class="avatar" src="./images/avatar.jpg?as=webp&width=256" srcset="./images/avatar.jpg?as=webp&width=512 2x"/>

[gavar]

it’s insane that it still hasn't been updated

[jonasgeiler]

@gavar wrote: it’s insane that it still hasn't been updated

Unfortunately it seems like Parcel has been somewhat abandoned. Since creating this issue I have actually moved on to vite and vite-plugin-image-optimizer and it's working fine.