Bump sharp from 0.34.5 to 0.35.0

[dependabot]

Bumps sharp from 0.34.5 to 0.35.0.

Release notes

Sourced from sharp's releases.

v0.35.0

• Breaking: Drop support for Node.js 18, now requires Node.js >= 20.9.0.

• Breaking: Remove install script from package.json file. Compiling from source is now opt-in via the build script.

• Breaking: Lossy AVIF output is now tuned using SSIMULACRA2-based iq quality metrics.

• Breaking: Add limitInputChannels with a default value of 5.

• Breaking: Remove deprecated failOnError constructor property.

• Breaking: Remove deprecated paletteBitDepth from metadata response.

• Breaking: Remove deprecated properties from sharpen operation.

• Breaking: Rename format.jp2k as format.jp2 for API consistency.

• Upgrade to libvips v8.18.3 for upstream bug fixes.

• Remove experimental status from WebAssembly binaries.

• Add prebuilt binaries for FreeBSD (WebAssembly).

• Deprecate Windows 32-bit (win32-ia32) prebuilt binaries.

• Ensure TIFF output bitdepth option is limited to 1, 2 or 4.

• Add AVIF/HEIF tune option for control over quality metrics. #4227

• Add keepGainMap and withGainMap to process HDR JPEG images with embedded gain maps. #4314

• Add toUint8Array for output image as a TypedArray backed by a transferable ArrayBuffer. #4355

• Require prebuilt binaries using static paths to aid code bundling. #4380

• TypeScript: Ensure FormatEnum keys match reality. #4475

• Add margin option to trim operation. #4480 @​eddienubes

• Ensure HEIF primary item is used as default page/frame. #4487

... (truncated)

Commits

• 2ed5af4 Release v0.35.0
• 4475cf1 Tests: update locator hash for sharp-libvips v1.3.0
• deb22dd Upgrade to sharp-libvips v1.3.0
• 07f1be9 Prerelease v0.35.0-rc.8
• df1109b Prerelease v0.35.0-rc.7
• aca49b3 Upgrade to libvips v8.18.3
• e9e86f5 Type-check density option before range validation (#4536)
• 2f0bcf0 Docs: update supported image formats
• 98e03b8 Revert "Guard heif bitdepth property for prebuilt binaries"
• e4ea2f3 CI: Ignore package minimum age in smoke tests
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​sharp@​0.35.0

View full report

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Embedded URLs or IPs: npm sharp URLs: https://sharp.pixelplumbing.com/install#cross-platform, https://sharp.pixelplumbing.com/install#building-from-source, https://sharp.pixelplumbing.com/install#canvas-and-windows, https://sharp.pixelplumbing.com/install, https://example.com/iiif Location: Package overview From: package.json → npm/sharp@0.35.0 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/sharp@0.35.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[dependabot]

Superseded by #626.