{"id":2355471,"name":"sharp","ecosystem":"npm","description":"High performance Node.js image processing, the fastest module to resize JPEG, PNG, WebP, GIF, AVIF and TIFF images","homepage":"https://sharp.pixelplumbing.com","licenses":"Apache-2.0","normalized_licenses":["Apache-2.0"],"repository_url":"https://github.com/lovell/sharp","keywords_array":["jpeg","png","webp","avif","tiff","gif","svg","jp2","dzi","image","resize","thumbnail","crop","embed","libvips","vips"],"namespace":null,"versions_count":176,"first_release_published_at":"2013-08-20T23:01:27.754Z","latest_release_published_at":"2025-11-06T14:19:40.989Z","latest_release_number":"0.34.5","last_synced_at":"2026-06-01T15:25:39.527Z","created_at":"2022-04-10T00:37:46.002Z","updated_at":"2026-06-01T15:25:39.527Z","registry_url":"https://www.npmjs.com/package/sharp","install_command":"npm install sharp","documentation_url":null,"metadata":{"funding":{"url":"https://opencollective.com/libvips"},"dist-tags":{"latest":"0.34.5","next":"0.35.0-rc.5"}},"repo_metadata":{"id":10149290,"uuid":"12226786","full_name":"lovell/sharp","owner":"lovell","description":"High performance Node.js image processing, the fastest module to resize JPEG, PNG, WebP, AVIF and TIFF images. Uses the libvips library.","archived":false,"fork":false,"pushed_at":"2026-05-21T17:02:58.000Z","size":60059,"stargazers_count":32273,"open_issues_count":123,"forks_count":1409,"subscribers_count":225,"default_branch":"main","last_synced_at":"2026-05-28T16:30:24.612Z","etag":null,"topics":["avif","crop","exif","icc","image","image-processing","javascript","jpeg","libvips","nodejs","performance","png","resize","sharp","svg","tiff","webp"],"latest_commit_sha":null,"homepage":"https://sharp.pixelplumbing.com","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/lovell.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":".github/CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":".github/SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"open_collective":"libvips"}},"created_at":"2013-08-19T20:24:24.000Z","updated_at":"2026-05-28T15:53:26.000Z","dependencies_parsed_at":"2025-12-24T13:03:23.556Z","dependency_job_id":null,"html_url":"https://github.com/lovell/sharp","commit_stats":{"total_commits":2101,"total_committers":218,"mean_commits":9.637614678899082,"dds":0.1556401713469776,"last_synced_commit":"1533bf995acda779313fc178d2b9d46791349961"},"previous_names":[],"tags_count":190,"template":false,"template_full_name":null,"purl":"pkg:github/lovell/sharp","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lovell%2Fsharp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lovell%2Fsharp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lovell%2Fsharp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lovell%2Fsharp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/lovell","download_url":"https://codeload.github.com/lovell/sharp/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lovell%2Fsharp/sbom","scorecard":{"id":194317,"data":{"date":"2025-08-11","repo":{"name":"github.com/lovell/sharp","commit":"51d1a49abceb224d8e9d7122f54819904109d581"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":6.6,"checks":[{"name":"Maintained","score":10,"reason":"30 commit(s) and 22 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Code-Review","score":0,"reason":"Found 2/30 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: .github/SECURITY.md:1","Info: Found linked content: .github/SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: .github/SECURITY.md:1","Info: Found text in security policy: .github/SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Token-Permissions","score":10,"reason":"GitHub workflow tokens follow principle of least privilege","details":["Info: jobLevel 'contents' permission set to 'read': .github/workflows/ci.yml:9","Info: jobLevel 'contents' permission set to 'read': .github/workflows/ci.yml:174","Info: jobLevel 'contents' permission set to 'read': .github/workflows/ci.yml:218","Info: jobLevel 'contents' permission set to 'read': .github/workflows/ci.yml:269","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/ci.yml:302","Info: found token with 'none' permissions: .github/workflows/ci.yml:1","Info: found token with 'none' permissions: .github/workflows/npm.yml:1"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"Fuzzing","score":10,"reason":"project is fuzzed","details":["Info: OSSFuzz integration found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v0.34.4-rc.1 not signed: https://api.github.com/repos/lovell/sharp/releases/235646050","Warn: release artifact v0.34.4-rc.0 not signed: https://api.github.com/repos/lovell/sharp/releases/235119355","Warn: release artifact v0.34.3 not signed: https://api.github.com/repos/lovell/sharp/releases/231366369","Warn: release artifact v0.34.3-rc.1 not signed: https://api.github.com/repos/lovell/sharp/releases/231265574","Warn: release artifact v0.34.3-rc.0 not signed: https://api.github.com/repos/lovell/sharp/releases/225359334","Warn: release artifact v0.34.4-rc.1 does not have provenance: https://api.github.com/repos/lovell/sharp/releases/235646050","Warn: release artifact v0.34.4-rc.0 does not have provenance: https://api.github.com/repos/lovell/sharp/releases/235119355","Warn: release artifact v0.34.3 does not have provenance: https://api.github.com/repos/lovell/sharp/releases/231366369","Warn: release artifact v0.34.3-rc.1 does not have provenance: https://api.github.com/repos/lovell/sharp/releases/231265574","Warn: release artifact v0.34.3-rc.0 does not have provenance: https://api.github.com/repos/lovell/sharp/releases/225359334"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:148: update your workflow using https://app.stepsecurity.io/secureworkflow/lovell/sharp/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:153: update your workflow using https://app.stepsecurity.io/secureworkflow/lovell/sharp/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:157: update your workflow using https://app.stepsecurity.io/secureworkflow/lovell/sharp/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:165: update your workflow using https://app.stepsecurity.io/secureworkflow/lovell/sharp/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:201: update your workflow using https://app.stepsecurity.io/secureworkflow/lovell/sharp/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:209: update your workflow using https://app.stepsecurity.io/secureworkflow/lovell/sharp/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:247: update your workflow using https://app.stepsecurity.io/secureworkflow/lovell/sharp/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:248: update your workflow using https://app.stepsecurity.io/secureworkflow/lovell/sharp/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:261: update your workflow using https://app.stepsecurity.io/secureworkflow/lovell/sharp/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:274: update your workflow using https://app.stepsecurity.io/secureworkflow/lovell/sharp/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:278: update your workflow using https://app.stepsecurity.io/secureworkflow/lovell/sharp/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:294: update your workflow using https://app.stepsecurity.io/secureworkflow/lovell/sharp/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:310: update your workflow using https://app.stepsecurity.io/secureworkflow/lovell/sharp/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:311: update your workflow using https://app.stepsecurity.io/secureworkflow/lovell/sharp/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:316: update your workflow using https://app.stepsecurity.io/secureworkflow/lovell/sharp/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:325: update your workflow using https://app.stepsecurity.io/secureworkflow/lovell/sharp/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/npm.yml:99: update your workflow using https://app.stepsecurity.io/secureworkflow/lovell/sharp/npm.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/npm.yml:104: update your workflow using https://app.stepsecurity.io/secureworkflow/lovell/sharp/npm.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/npm.yml:109: update your workflow using https://app.stepsecurity.io/secureworkflow/lovell/sharp/npm.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/npm.yml:114: update your workflow using https://app.stepsecurity.io/secureworkflow/lovell/sharp/npm.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/npm.yml:120: update your workflow using https://app.stepsecurity.io/secureworkflow/lovell/sharp/npm.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/npm.yml:125: update your workflow using https://app.stepsecurity.io/secureworkflow/lovell/sharp/npm.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/npm.yml:136: update your workflow using https://app.stepsecurity.io/secureworkflow/lovell/sharp/npm.yml/main?enable=pin","Warn: containerImage not pinned by hash: test/bench/Dockerfile:1: pin your Docker image by updating ubuntu:25.04 to ubuntu:25.04@sha256:95a416ad2446813278ec13b7efdeb551190c94e12028707dd7525632d3cec0d1","Warn: npmCommand not pinned by hash: test/bench/Dockerfile:18","Warn: npmCommand not pinned by hash: test/bench/Dockerfile:21","Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:160","Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:204","Warn: npmCommand not pinned by hash: .github/workflows/npm.yml:147","Info:   0 out of  16 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   7 third-party GitHubAction dependencies pinned","Info:   0 out of   1 containerImage dependencies pinned","Info:   0 out of   5 npmCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 2 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-16T21:32:19.987Z","repository_id":10149290,"created_at":"2025-08-16T21:32:19.987Z","updated_at":"2025-08-16T21:32:19.987Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33703065,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-30T02:00:06.278Z","response_time":92,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"},"tags":[]},"repo_metadata_updated_at":"2026-06-01T15:24:04.640Z","dependent_packages_count":4168,"downloads":256978043,"downloads_period":"last-month","dependent_repos_count":178353,"rankings":{"downloads":0.07378279088472844,"dependent_repos_count":0.08254538926059368,"dependent_packages_count":0.023890211207163524,"stargazers_count":0.5648878972532536,"forks_count":1.0891205827976835,"docker_downloads_count":0.057228044767458616,"average":0.3152424860284802},"purl":"pkg:npm/sharp","advisories":[{"uuid":"GSA_kwCzR0hTQS01NHhxLWNncXItcnBtM84AA3N1","url":"https://github.com/advisories/GHSA-54xq-cgqr-rpm3","title":"sharp vulnerability in libwebp dependency CVE-2023-4863","description":"## Overview\n\nsharp uses libwebp to decode WebP images and versions prior to the latest 0.32.6 are vulnerable to the high severity https://github.com/advisories/GHSA-j7hp-h8jx-5ppr.\n\n## Who does this affect?\n\nAlmost anyone processing untrusted input with versions of sharp prior to 0.32.6.\n\n## How to resolve this?\n\n### Using prebuilt binaries provided by sharp?\n\nMost people rely on the prebuilt binaries provided by sharp.\n\nPlease upgrade sharp to the latest 0.32.6, which provides libwebp 1.3.2.\n\n### Using a globally-installed libvips?\n\nPlease ensure you are using the latest libwebp 1.3.2.\n\n## Possible workaround\n\nAdd the following to your code to prevent sharp from decoding WebP images.\n```js\nsharp.block({ operation: [\"VipsForeignLoadWebp\"] });\n```","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2023-11-16T17:14:15.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":7.8,"cvss_vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","references":["https://github.com/lovell/sharp/security/advisories/GHSA-54xq-cgqr-rpm3","https://github.com/lovell/sharp/commit/dbce6fab795ca4250bda9b1ef502c1fdb7d4a30c","https://github.com/advisories/GHSA-54xq-cgqr-rpm3"],"source_kind":"github","identifiers":["GHSA-54xq-cgqr-rpm3"],"repository_url":"https://github.com/lovell/sharp","blast_radius":0.0,"created_at":"2023-11-16T18:06:12.685Z","updated_at":"2026-04-23T10:06:34.786Z","epss_percentage":null,"epss_percentile":null,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01NHhxLWNncXItcnBtM84AA3N1","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS01NHhxLWNncXItcnBtM84AA3N1","packages":[{"ecosystem":"npm","package_name":"sharp","versions":[{"first_patched_version":"0.32.6","vulnerable_version_range":"\u003c 0.32.6"}],"purl":"pkg:npm/sharp"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01NHhxLWNncXItcnBtM84AA3N1/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS1ncDk1LXBwdjUtM2pjNc4AArTZ","url":"https://github.com/advisories/GHSA-gp95-ppv5-3jc5","title":"sharp vulnerable to Command Injection in post-installation over build environment","description":"There's a possible vulnerability in logic that is run only at `npm install` time when installing versions of `sharp` prior to the latest v0.30.5.\n\nThis is not part of any runtime code, does not affect Windows users at all, and is unlikely to affect anyone that already cares about the security of their build environment. However, out of an abundance of caution, I've created this advisory.\n\nIf an attacker has the ability to set the value of the `PKG_CONFIG_PATH` environment variable in a build environment then they might be able to use this to inject an arbitrary command at `npm install` time.\n\nI've used the Common Vulnerability Scoring System (CVSS) calculator to determine the maximum possible impact, which suggests a \"medium\" score of 5.9, but for most people the real impact will be dealing with the noise from automated security tooling that this advisory will bring.\n\n[`AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:R/MS:X/MC:X/MI:X/MA:X`](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:R/MS:X/MC:X/MI:X/MA:X\u0026version=3.1)\n\nThis problem was fixed in commit a6aeef6 and published as part of `sharp` v0.30.5.\n\nThank you very much to @dwisiswant0 for the responsible disclosure.\n\nRemember: if an attacker has control over environment variables in your build environment then you have a bigger problem to deal with than this issue.\n","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2022-06-01T19:58:29.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":6.5,"cvss_vector":"CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H","references":["https://github.com/lovell/sharp/security/advisories/GHSA-gp95-ppv5-3jc5","https://nvd.nist.gov/vuln/detail/CVE-2022-29256","https://github.com/lovell/sharp/commit/a6aeef612be50f5868a77481848b1de674216f0c","https://advisory.dw1.io/54","https://github.com/advisories/GHSA-gp95-ppv5-3jc5"],"source_kind":"github","identifiers":["GHSA-gp95-ppv5-3jc5","CVE-2022-29256"],"repository_url":"https://github.com/lovell/sharp","blast_radius":0.0,"created_at":"2022-12-21T16:12:22.075Z","updated_at":"2026-04-28T20:09:31.321Z","epss_percentage":0.00164,"epss_percentile":0.37365,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ncDk1LXBwdjUtM2pjNc4AArTZ","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1ncDk1LXBwdjUtM2pjNc4AArTZ","packages":[{"ecosystem":"npm","package_name":"sharp","versions":[{"first_patched_version":"0.30.5","vulnerable_version_range":"\u003c 0.30.5"}],"purl":"pkg:npm/sharp"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ncDk1LXBwdjUtM2pjNc4AArTZ/related_packages","related_advisories":[]}],"docker_usage_url":"https://docker.ecosyste.ms/usage/npm/sharp","docker_dependents_count":1719,"docker_downloads_count":973991177,"usage_url":"https://repos.ecosyste.ms/usage/npm/sharp","dependent_repositories_url":"https://repos.ecosyste.ms/api/v1/usage/npm/sharp/dependencies","status":null,"funding_links":["https://opencollective.com/libvips"],"critical":true,"issue_metadata":{"last_synced_at":"2026-04-08T21:13:02.622Z","issues_count":911,"pull_requests_count":144,"avg_time_to_close_issue":4799957.7770360485,"avg_time_to_close_pull_request":1491781.7578125,"issues_closed_count":749,"pull_requests_closed_count":128,"pull_request_authors_count":63,"issue_authors_count":791,"avg_comments_per_issue":4.615806805708013,"avg_comments_per_pull_request":2.5416666666666665,"merged_pull_requests_count":87,"bot_issues_count":0,"bot_pull_requests_count":0,"past_year_issues_count":97,"past_year_pull_requests_count":44,"past_year_avg_time_to_close_issue":1681680.5254237289,"past_year_avg_time_to_close_pull_request":375650.1388888889,"past_year_issues_closed_count":59,"past_year_pull_requests_closed_count":36,"past_year_pull_request_authors_count":19,"past_year_issue_authors_count":92,"past_year_avg_comments_per_issue":3.783505154639175,"past_year_avg_comments_per_pull_request":1.9318181818181819,"past_year_bot_issues_count":0,"past_year_bot_pull_requests_count":0,"past_year_merged_pull_requests_count":25,"issues_url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/repositories/lovell%2Fsharp/issues","maintainers":[{"login":"lovell","count":16,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/lovell"}],"active_maintainers":[{"login":"lovell","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/lovell"}]},"versions_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/sharp/versions","version_numbers_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/sharp/version_numbers","latest_version_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/sharp/latest_version","dependent_packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/sharp/dependent_packages","related_packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/sharp/related_packages","codemeta_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/sharp/codemeta","maintainers":[{"uuid":"lovell","login":"lovell","name":null,"email":"npm@lovell.info","url":null,"packages_count":79,"html_url":"https://www.npmjs.com/~lovell","role":null,"created_at":"2022-11-10T11:22:54.499Z","updated_at":"2022-11-10T11:22:54.499Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/maintainers/lovell/packages"}]}