[GHSA-54xq-cgqr-rpm3] sharp vulnerability in libwebp dependency CVE-2023-4863

[Xyaren]

Updates

• Affected products

Comments
Patched version does not exist

[github]

Hi there @lovell! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[lovell]

Patched version does not exist

Are you able to explain more about this comment given the existence of https://www.npmjs.com/package/sharp/v/0.32.6

In addition, my understanding of the OSV format is that fixed is rather important, and removing it could break automated tooling that depends upon it.

[darakian]

+1
would love more of an explanation here

[Xyaren]

Sorry, misinterpreted an error in the dependabot pipeline. 😞
Apparently got confused between 0.32.6 and 0.33.6

[darakian]

All good. Thanks for taking the time to act on something you thought was wrong :)