[Snyk] Security upgrade sharp from 0.25.3 to 0.26.0

[sniperadmin]

Snyk has created this PR to fix 2 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• functions/package.json
• functions/package-lock.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Improper Handling of Unicode Encoding SNYK-JS-TAR-15038581	713
	Uncontrolled Resource Consumption ('Resource Exhaustion') SNYK-JS-TAR-6476909	646

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Uncontrolled Resource Consumption ('Resource Exhaustion')

[devloai]

PR Summary:

This Snyk-automated PR upgrades sharp from 0.25.3 to 0.26.0 in Cloud Functions to fix two medium-severity vulnerabilities in the transitive tar dependency:

• Improper Handling of Unicode Encoding (score 713)
• Uncontrolled Resource Consumption (score 646)

The upgrade removes the vulnerable tar package by switching to tar-fs for Sharp's binary distribution.

Review Summary:

Reviewed the security upgrade against compatibility requirements and codebase usage. Found a potential compatibility issue with the Node.js version requirement (Sharp 0.26.0 needs Node.js >= 10.16.0, but the project specifies "node": "10") and noted that Sharp appears unused in the current Cloud Functions code.

Knowledge utilized: Sharp 0.26.0 breaking changes documentation, repository dependency management patterns, and Firebase Cloud Functions configuration.

Follow-up suggestions:

• @devloai update the Node.js version requirement to >=10.16.0 in functions/package.json
• @devloai verify if sharp is needed and remove if unused

[devloai]

Unused dependency: The sharp package is listed as a dependency but appears to be unused in the codebase. I checked functions/index.js and found no imports or usage of Sharp.

While this security upgrade is valuable for fixing the tar vulnerabilities, consider:

1. Verifying if Sharp is actually needed for this project
2. If unused, removing it entirely to reduce the dependency footprint and security surface area
3. If it's planned for future use (e.g., image processing for product uploads), that's fine - but document this intent

This would make dependency management cleaner and reduce unnecessary security updates in the future.

actions

Feedback: Rate this comment to help me improve future code reviews:

• 👍 Good - Helpful and accurate
• 👎 Poor - Wrong, unclear, or unhelpful
• Skip if you don't have any strong opinions either way.

[devloai]

Potential compatibility issue: Sharp 0.26.0 requires Node.js >= 10.16.0 due to changes in the prebuilt binary distribution system.

According to the Sharp 0.26.0 changelog, this version uses statically-linked and Brotli-compressed libvips binaries that require at least Node.js 10.16.0.

The current package.json specifies "node": "10" in the engines field (line 14), which may allow older Node 10.x versions that are incompatible.

Recommendation: Verify your Cloud Functions runtime version and update the Node.js version requirement to be explicit:

"engines": {
  "node": ">=10.16.0"
}

If you're locked to an older Node 10.x version, this upgrade may fail at runtime.

⚡ Apply quick fix

actions

Quick Fix: Apply a small focused fix for this specific issue (takes < 1min).

Feedback: Rate this comment to help me improve future code reviews:

• 👍 Good - Helpful and accurate
• 👎 Poor - Wrong, unclear, or unhelpful
• Skip if you don't have any strong opinions either way.