-
Notifications
You must be signed in to change notification settings - Fork 27k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(next/image)!: remove squoosh
in favor of sharp
as optional dependency
#63321
Conversation
Notifying the following users due to files changed in this PR based on this repo's notify modifiers: @timneutkens, @ijjk, @shuding:
|
New and removed dependencies detected. Learn more about Socket for GitHub ↗︎
🚮 Removed packages: npm/@types/sharp@0.29.3, npm/get-orientation@1.1.2, npm/image-size@0.9.3, npm/image-size@1.0.0 |
👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎ This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored. Ignoring: Next stepsTake a deeper look at the dependencyTake a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev. Remove the packageIf you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency. Mark a package as acceptable riskTo ignore an alert, reply with a comment starting with |
@SocketSecurity ignore npm/sharp@0.33.3 |
@styfle Thanks for this! 🙌 This was released in ➜ p mkdir a
➜ p cd a
➜ a pnpm create next-app@14.3.0-canary.24 . --app --no-eslint --no-src-dir --import-alias @/\* --no-tailwind --typescript
.../18f19519fb1-1452a | +1 +
.../18f19519fb1-1452a | Progress: resolved 1, reused 0, downloaded 1, added 1, done
Creating a new Next.js app in /Users/k/p/a.
Using pnpm.
Initializing project with template: app
Installing dependencies:
- react
- react-dom
- next
Installing devDependencies:
- typescript
- @types/node
- @types/react
- @types/react-dom
Packages: +40
++++++++++++++++++++++++++++++++++++++++
Downloading @next/swc-darwin-arm64@14.3.0-canary.24: 37.39 MB/37.39 MB, done
Downloading next@14.3.0-canary.24: 23.71 MB/23.71 MB, done
Progress: resolved 66, reused 37, downloaded 4, added 40, done
dependencies:
+ next 14.3.0-canary.24
+ react 18.3.0
+ react-dom 18.3.0
devDependencies:
+ @types/node 20.12.7
+ @types/react 18.3.0
+ @types/react-dom 18.3.0
+ typescript 5.4.5
Done in 12.8s
Initialized a git repository.
Success! Created a at /Users/k/p/a
➜ a git:(main) cat node_modules/.pnpm/next@14.3.0-canary.24_react-dom@18.3.0_react@18.3.0__react@18.3.0/node_modules/sharp/package.json
{
"name": "sharp",
"description": "High performance Node.js image processing, the fastest module to resize JPEG, PNG, WebP, GIF, AVIF and TIFF images",
"version": "0.33.3",
... One thing that was a bit surprising was that
|
Looking forward to the stable release (probably will be in the next major):
|
That's how pnpm works. You can
It will will likely be |
Great, updated my post above, thanks!
Yeah totally understand here - Yarn v1 is still entrenched in a lot of places. (even for some of our apps still on our list to upgrade) |
Since
|
@Netail See the "Breaking Change" section of the PR description above |
Ahhh oke, interesting. That's gonna break a lot of frontends (And kind of annoying in terms of DX), as Yarn v1 is still used by 2.5 million people... |
Ah yes your're correct, I meant installs. But I feel like the flag |
Also this error is shown even tho I do not make use of the next image component, this happens with a clean create-next-app + a canary version of |
Which issues are you seeing and with which packages?
The default
|
None right now, but could occur I guess
Sorry, not entirely clear. Got rid of the page contents, but no usage of next/image |
In that case, you can ignore the warning because |
I see the problem now. We need to lazy load it so you only get the error when using image optimization. This should fix it: #65484 |
Lovely, thanks :) |
This parameter was previously used for a warning message, but we no longer print that warning since #63321 so now we can remove the unused parameter.
History
Previously, we added support for
squoosh
because it was a wasm implementation that "just worked" on all platforms when runningnext dev
for the first time. However, it was slow so we always recommended manually installingsharp
for production use cases runningnext build
andnext start
.Now that
sharp
supports webassembly, we no longer need to maintainsquoosh
, so it can be removed. We also don't need to make the user install sharp manually because it can be installed underoptionalDependencies
. I left it optional in case there was some platform that still needed to manually install the wasm variant withnpm install --cpu=wasm32 sharp
such as codesandbox/stackblitz (I don't believe sharp has any fallback built in yet).Since we can guarantee
sharp
, we can also removeget-orientation
dep and upgradeimage-size
dep.I also moved an existing
sharp
test into its own fixture since it was unrelated to image optimization.Related Issues
squoosh
in favor ofsharp
as optional dep" #61810squoosh
in favor ofsharp
as optional dep #61696next/image
#44685Breaking Change
This is a breaking change because newer versions of
sharp
no longer supportyarn@1
.The workaround is to install with
yarn --ignore-engines
flag.Also note that Vercel no longer defaults to yarn when no lockfile is found
yarn
tonpm
(gated behind feature flag) vercel#11131VERCEL_ENABLE_NPM_DEFAULT
env var check vercel#11242Closes NEXT-2823