Conversation
Bumps [image-size](https://github.com/image-size/image-size) from 1.2.1 to 2.0.2. - [Release notes](https://github.com/image-size/image-size/releases) - [Commits](image-size/image-size@v1.2.1...v2.0.2) --- updated-dependencies: - dependency-name: image-size dependency-version: 2.0.2 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
There was a problem hiding this comment.
Pull Request Overview
This PR updates the image-size dependency from version 1.2.1 to 2.0.2, which is a major version bump that includes security fixes, performance improvements, and API changes including the removal of synchronous APIs.
Key changes:
- Updates image-size from ^1.2.0 to ^2.0.2 in package.json
- Incorporates security fixes for potential Denial of Service vulnerabilities
- Adopts breaking changes including removal of synchronous API and switch from Buffer to UInt8Array
| "axios": "^1.8.4", | ||
| "compare-versions": "^6.1.1", | ||
| "image-size": "^1.2.0", | ||
| "image-size": "^2.0.2", |
There was a problem hiding this comment.
This major version update removes the synchronous API from image-size. You need to verify that all usage of image-size in the codebase has been updated to use the asynchronous API, as synchronous calls like imageSize(buffer) will no longer work and need to be replaced with await imageSize(buffer) or Promise-based patterns.
There was a problem hiding this comment.
Please evalute the required changes to existing code when merging this PR
There was a problem hiding this comment.
@copilot
Please evalute the required changes to existing code when merging this PR
|
@copilot |
|
@dependabot recreate |
|
Sorry, only users with push access can use that command. |
2 participants
Bumps image-size from 1.2.1 to 2.0.2.
Release notes
Sourced from image-size's releases.
Commits
032c3342.0.28994131fix potential Denial of Service via specially crafted payloads (#436)e62c61fdelete the part about partial downloadinga5750c52.0.16c3cb71fix the bin script9cfcb4fAdd a sync usage example1fb8f412.0.07b19493Fix for reading offset and looking up buffer at that offset without validatin...6d1fc25Fixed url. The domain had expired. (#423)636ebd02.0.0-beta.4You can trigger a rebase of this PR by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)