Skip to content

fix(server): bump sharp to 0.34.3 + add unlimited flag #20327

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 3 commits into from
Closed

fix(server): bump sharp to 0.34.3 + add unlimited flag #20327

wants to merge 3 commits into from

Conversation

simonhammes
Copy link

@simonhammes simonhammes commented Jul 27, 2025
edited
Loading

Description

This bumps sharp to 0.34.3 and adds the unlimited flag to disable all memory-related restrictions.

Fixes #20028

To Do

How Has This Been Tested?

  • Uploaded large (in terms of pixel size) HEIC file and verified that Immich was able to generate thumbnail images

Checklist:

  • I have performed a self-review of my own code
  • I have made corresponding changes to the documentation if applicable
  • I have no unrelated changes in the PR.
  • I have confirmed that any new dependencies are strictly necessary.
  • I have written tests for new code (if applicable)
  • I have followed naming conventions/patterns in the surrounding code
  • All code in src/services/ uses repositories implementations for database calls, filesystem operations, etc.
  • All code in src/repositories/ is pretty basic/simple and does not have any immich specific logic (that belongs in src/services/)

simonhammes
simonhammes commented Jul 27, 2025
View reviewed changes
server/src/repositories/media.repository.ts
@@ -141,6 +141,7 @@ export class MediaRepository {
failOn: options.processInvalidImages ? 'none' : 'error',
limitInputPixels: false,
raw: options.raw,
unlimited: true,
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should presumably be guarded behind some sort of configuration option (e.g. an environment variable).

Enabling this should be carefully considered in deployments where trust in users is weaker.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you elaborate on the potential issues or security concerns?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You could presumably create a malicious image which consumes enough memory to crash the server

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps it'd be better to make limitInputPixels configurable? That sounds like it might also solve this and be a safer approach. Potentially it could be set based on available system memory, which might also prevent people from hitting this as often

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You could presumably create a malicious image which consumes enough memory to crash the server

Thank you, this is what I meant

This was referenced Jul 27, 2025
Closed
Closed
@Saopanda
Copy link

Saopanda commented Aug 8, 2025

the base-image is merged

@simonhammes simonhammes marked this pull request as ready for review August 13, 2025 06:59
@Saopanda
Copy link

0.0

mertalev
mertalev reviewed Aug 29, 2025
View reviewed changes
Copy link
Member

@mertalev mertalev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We use pnpm now, so this PR needs to be updated to bump sharp using pnpm.

server/Dockerfile
@@ -1,5 +1,5 @@
# dev build
FROM ghcr.io/immich-app/base-server-dev:202507291116@sha256:e38543bdd77a02ed156cd9175ed11e9c16dccf48c418d46ecda48ce684de456a AS dev
FROM ghcr.io/immich-app/base-server-dev:commit-e54882f68fed72fa84c0bb3c422e374a7c082703 AS dev
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

libvips 8.17 is already in the current base image, so no need to change the tag.

@mertalev mertalev mentioned this pull request Sep 4, 2025
Merged
@mertalev
Copy link
Member

mertalev commented Sep 4, 2025

Superseded by #21596

@mertalev mertalev closed this Sep 4, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@benmccann benmccann benmccann left review comments

@alextran1502 alextran1502 alextran1502 left review comments

@mertalev mertalev mertalev left review comments

@danieldietzler danieldietzler Awaiting requested review from danieldietzler danieldietzler is a code owner

Assignees
No one assigned
Labels
changelog:bugfix 🗄️server
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Large HEIC files can not be processed
5 participants
@simonhammes @Saopanda @mertalev @benmccann @alextran1502