Storage and image processing server written in Go

Mort

Build Status Codecov Docker Docker Registry Go Report Card Godoc Releases LICENSE

An S3-compatible image processing server written in Go. Still in active development.

Features

  • HTTP server
  • Resize, Rotate, SmartCrop
  • Convert (JPEG, PNG , BMP, Webp)
  • Multiple storage backends (disk, S3, http)
  • Fully modular
  • S3 API for listing and uploading files
  • Requests collapsing
  • Build in rate limiter
  • HTTP Range and Conditional requests
  • Compression (gzip, brotli)

And more see changelog for more info

Demo

Original image

Click on result image to see URL. More examples can be found in Image Operations list

Description Result (to see result click on image)

preset: small

(preserve aspect ratio) width: 75

preset: blur

  • resize image (preserve aspect ratio) width: 700

  • blur image with sigma 5.0

preset: webp

  • resize image (preserve aspect ratio) width: 1000

  • and change format to webp

preset: watermark

  • resize image (preserve aspect ratio) width: 1300

  • and add watermark

Usage

Mort can be used directly from the Internet and behind any proxy.

Install

go get github.com/aldor007/mort/cmd/

Command line help

$ ./mort
Usage of  mort
  -config string
    	Path to configuration (default "/etc/mort/mort.yml")

Configuration

Example configuration used for providing demo images:

headers: #  add or overwrite all response headers of given status. This field is optional
  - statusCodes: [200]
    values:
      "cache-control": "max-age=84000, public"

buckets: # list of available buckets 
    demo:    # bucket name 
        keys: # list of S3 keys (optional)
          - accessKey: "access"
            secretAccessKey: "random"
        transform: # config for transforms
            path: "\\/(?P<presetName>[a-z0-9_]+)\\/(?P<parent>[a-z0-9-\\.]+)" # regexp for transform path 
            kind: "presets-query" #  type of transform or "query"
            presets: # list of presets
                small:
                    quality: 75
                    filters:
                        thumbnail: 
                            width: 150
                blur:
                    quality: 80
                    filters:
                        thumbnail: 
                            width: 700
                        blur:
                          sigma: 5.0
                webp:
                    quality: 100
                    format: webp
                    filters:
                        thumbnail: 
                            width: 1000
                watermark:
                    quality: 100
                    filters:
                        thumbnail: 
                            width: 1300
                        watermark:
                            image: "https://i.imgur.com/uomkVIL.png"
                            position: "top-left"
                            opacity: 0.5
                smartcrop:
                    quality: 80
                    filters:
                      crop:
                        width: 200
                        height: 200
        storages:
             basic: # retrieve originals from s3
                 kind: "s3"
                 accessKey: "acc"
                 secretAccessKey: "sec"
                 region: ""
                 endpoint: "http://localhost:8080"
             transform: # and store it on disk
                 kind: "local-meta"
                 rootPath: "/var/www/domain/"
                 pathPrefix: "transform"

List of all image operations can be found in Image-Operations.md

More details about configuration can be found in Configuration.md

Debian and Ubuntu

I will provide Debian package when we will be completely stable ;)

Docker

See Dockerfile for image details.

Pull docker image

docker pull aldor007/mort

Create you custom docker deployment

Create Dockerfile or use Dockerfile.service

FROM aldor007/mort:latest
ADD config.yml /etc/mort/mort.yml # add yours config

Build container

docker build -f Dockerfile.service -t myusername/mort

Run docker

docker run -p 8080:8080 myusername/mort

Full example you can find here

Development

  1. Make sure you have a Go language compiler >= 1.9 (required) and git installed.
  2. Install libvips like described on bimg page
  3. Ensure your GOPATH is properly set.
  4. Download it
git clone  https://github.com/aldor007/mort.git $GOPATH/src/github.com/aldor007/mort
cd $GOPATH/src/github.com/aldor007/mort
  1. Install dependencies:
dep ensure

Run unit tests:

make unit

Run integration tests:

make integrations

Built With

  • dep - Dependency Management
  • bimg - Image processing powered by libvips C library

Contributing

Please read CONTRIBUTING.md for details on our code of conduct, and the process for submitting pull requests.

License

This project is licensed under the MIT License - see the LICENSE.md file for details

Inspirations

Owner
Marcin Kaciuba
Marcin Kaciuba
https://github.com/aldor007/mort
Comments
  • Fail to get Images from S3

    Fail to get Images from S3

    Hey,

    first of all, thank you very much for your work. Here's my Problem: I've configured a preset bucket like this:

    buckets:
    media:
        keys:
          - accessKey: "..."
            aecretAccessKey: "..."
        transform:
            path: "\\/(?P<presetName>[a-z0-9_]+)\\/(?P<parent>.*)"
            checkParent: true
            kind: "presets"
            presets:
                ...
        storages:
            basic:
                kind: "http"
                url: "https://some-server.de/images<item>"

    I can successfully access http://localhost:8080/media/test-image.jpg, but http://localhost:8080/media/test/image.jpg is not working. https://some-server.de/images/test-image.jpg and https://some-server.de/images/test/image.jpg both exist.

    When I change the storage-backend to a S3-Bucket, the result is the same.

    The log only shows "FileObject decodePreset unknown preset" for the file which cannot be accessed.

    I think I tried everything configuration wise. I hope you can help me out here!

    Thanks again for your work!

  • help on configuration

    help on configuration

    I want to setup Mort to serve webp images on Wordpress on-the-fly. i.e. BEFORE: https://mydomain.com/wp-content/filename.jpg (content type: jpeg) AFTER: https://mydomain.com/wp-content/filename.jpg (content type: webp)

    My setup is: Cloudflare -> Docker

    • Wordpress (with Apache)
    • Mort

    Apache ProxyPass passing image request to Mort

    ProxyPassMatch "^/(.*\.jpg)$" "http://mort:8080/$1"
ProxyPassMatch "^/(.*\.jpeg)$" "http://mort:8080/$1"
ProxyPassMatch "^/(.*\.png)$" "http://mort:8080/$1"

    On Docker-Compose wp-content is mounted onto Mort container:

    version: '3.8'
services:
  mort:
    container_name: mort
    image: ghcr.io/aldor007/mort
    volumes:
      - type: bind
        source: ./misc/mort-config.yml
        target: /etc/mort/mort.yml
      - type: bind
        source: ./wordpress
        target: /root
    restart: unless-stopped

    Hence

    # ls -la /root
total 28
drwxrwxrwx  3     1000     1000 4096 Aug 11 04:34 .
drwxr-xr-x  1 root     root     4096 Aug 12 02:49 ..
-rwxrwxrwx  1     1000     1000   34 May 16 02:13 .git
-rwxrwxrwx  1     1000     1000 1009 Aug 11 05:43 .gitignore
-rwxrwxrwx  1     1000     1000 5480 May 16 02:13 wp-config-docker.php
drwxr-xr-x 14 www-data www-data 4096 Aug 12 03:14 wp-content

    This is configuration of Mort:

    #server:
#  listen: "0.0.0.0:8080"
#  monitoring: ""
#  cache:
#    type: "memory"
#    cacheSize: 50000
#    maxCacheItemSizeMB: 50
#  requestTimeout: 70
#  internalListen: "0.0.0.0:8081"
#  plugins:
#    - "webp"

headers:
  - statusCodes: [200]
    values:
      "cache-control": "max-age=84000, public"
  - statusCodes: [404, 400]
    values:
      "cache-control": "max-age=60, public"
  - statusCodes: [500, 503]
    values:
      "cache-control": "max-age=10, public"

buckets:
  demo:
    transform:
      path: "\\/(?P<presetName>[a-z0-9_]+)\\/(?P<parent>.*)"
      kind: "presets"
      parentStorage: "mounted-dir"
      presets:
        wp-content:
          quality: 100
          format: webp
          filters:
            thumbnail:
              width: 1000
    storages:
      basic:
        kind: "local-meta"
        rootPath: "/root"
      mounted-dir:
        kind: "local-meta"
        rootPath: "/root"

    docker logs -f mort shows this error:

    {"level":"warn","ts":"2022-08-12T03:14:45.581Z","caller":"middleware/s3.go:179","msg":"S3Auth no bucket for access key","hostname":"0e2d7b3c2416","pid":1}

    May I know if how should I configure it? Thanks.

  • Sample Dockerfile: put comment in a separate line

    Sample Dockerfile: put comment in a separate line

    The provided sample is not a valid Dockerfile

    Docker treats lines that begin with # as a comment, unless the line is a valid parser directive. A # marker anywhere else in a line is treated as an argument.

  • Feature/s3 + resizeCropAuto + extract + redis

    Feature/s3 + resizeCropAuto + extract + redis

    TODO

    • [x] update doc
    • [x] fix tests
    • [x] add integration tests for resizeCropAuto
    • [x] add handling 206 https://github.com/aldor007/mort/blob/master/pkg/processor/processor.go#L318
    • [x] local cache for range response
    • [x] redis cache strategy
    • [x] montoring for storage throughput
    • [x] extract transform
    • [x] monitoring for request types to storage (parent vs transformed objec)
  • Add support for start/end clipping

    Add support for start/end clipping

    Not sure if this is in there yet, but the ability to specify the start and end points, preferably multiple of them per video so you can clip out smaller bits of video would be very nice to have.

  • panic: memory lock

    panic: memory lock 

    routine 164 [running]:\nruntime/debug.Stack()\n\t/usr/local/go/src/runtime/debug/stack.go:24 +0x65\ngithub.com/go-chi/chi/v5/middleware.Recoverer.func1.1()\n\t/github/home/go/pkg/mod/github.com/go-chi/chi/[email protected]/middleware/recoverer.go:29 +0xa9\npanic({0x11a3400, 0x1e72960})\n\t/usr/local/go/src/runtime/panic.go:838 +0x207\ngithub.com/djherbis/stream.(*Reader).Read(0x453432?, {0xc0007be000?, 0x111e480?, 0xc000708801?})\n\t/github/home/go/pkg/mod/github.com/djherbis/[email protected]/reader.go:32 +0x4b\nio.copyBuffer({0x1642c80, 0xc000708840}, {0x7fcbb4283608, 0xc000051e40}, {0x0, 0x0, 0x0})\n\t/usr/local/go/src/io/io.go:426 +0x1b2\nio.Copy(...)\n\t/usr/local/go/src/io/io.go:385\ngithub.com/go-chi/chi/v5/middleware.(*httpFancyWriter).ReadFrom(0xc000708840, {0x7fcbb4283608?, 0xc000051e40?})\n\t/github/home/go/pkg/mod/github.com/go-chi/chi/[email protected]/middleware/wrap_writer.go:189 +0x4c\nio.copyBuffer({0x7fcbb420a7d8, 0xc000708840}, {0x7fcbb4283608, 0xc000051e40}, {0x0, 0x0, 0x0})\n\t/usr/local/go/src/io/io.go:412 +0x14b\nio.Copy(...)\n\t/usr/local/go/src/io/io.go:385\ngithub.com/aldor007/mort/pkg/response.(*Response).Send(0xc0003e1bc0, {0x7fcbb42835d8, 0xc000708840})\n\t/__w/mort/mort/pkg/response/response.go:255 +0x4b3\ngithub.com/aldor007/mort/pkg/response.(*Response).SendContent(0x126afa0?, 0xc0002ef770?, {0x7fcbb42835d8?, 0xc000708840?})\n\t/__w/mort/mort/pkg/response/response.go:267 +0x136\nmain.main.func1.1({0x7fcbb42835d8, 0xc000708840}, 0xc0000e4400)\n\t/__w/mort/mort/cmd/mort/mort.go:277 +0xaf8\nnet/http.HandlerFunc.ServeHTTP(0xc0005ae1b0?, {0x7fcbb42835d8?, 0xc000708840?}, 0xc000158214?)\n\t/usr/local/go/src/net/http/server.go:2084 +0x2f\ngithub.com/aldor007/mort/pkg/middleware.(*S3Auth).Handler.func1({0x7fcbb42835d8, 0xc000708840}, 0xc0000e4400)\n\t/__w/mort/mort/pkg/middleware/s3.go:74 +0x764\nnet/http.HandlerFunc.ServeHTTP(0x9c458d4482de76a6?, {0x7fcbb42835d8?, 0xc000708840?}, 0x0?)\n\t/usr/local/go/src/net/http/server.go:2084 +0x2f\ngithub.com/aldor007/mort/pkg/object/cloudinary.UploadInterceptorMiddleware.Handler.func1({0x7fcbb42835d8?, 0xc000708840?}, 0xc00063f7a0?)\n\t/__w/mort/mort/pkg/object/cloudinary/upload_interceptor_middleware.go:106 +0x6a\nnet/http.HandlerFunc.ServeHTTP(0x12ef2c0?, {0x7fcbb42835d8?, 0xc000708840?}, 0x97668f?)\n\t/usr/local/go/src/net/http/server.go:2084 +0x2f\ngithub.com/go-chi/chi/v5/middleware.Recoverer.func1({0x7fcbb42835d8?, 0xc000708840?}, 0xc0005ae400?)\n\t/github/home/go/pkg/mod/github.com/go-chi/chi/[email protected]/middleware/recoverer.go:38 +0x83\nnet/http.HandlerFunc.ServeHTTP(0xc0000e4300?, {0x7fcbb42835d8?, 0xc000708840?}, 0x203000?)\n\t/usr/local/go/src/net/http/server.go:2084 +0x2f\ngithub.com/go-chi/httplog.Handler.func1.1({0x164c598, 0xc000198000}, 0xc0000e4300)\n\t/github/home/go/pkg/mod/github.com/go-chi/[email protected]/httplog.go:63 +0x245\nnet/http.HandlerFunc.ServeHTTP(0x164d0d8?, {0x164c598?, 0xc000198000?}, 0x163ea08?)\n\t/usr/local/go/src/net/http/server.go:2084 +0x2f\ngithub.com/go-chi/chi/v5/middleware.RequestID.func1({0x164c598, 0xc000198000}, 0xc0000e4100)\n\t/github/home/go/pkg/mod/github.com/go-chi/chi/[email protected]/middleware/request_id.go:76 +0x354\nnet/http.HandlerFunc.ServeHTTP(0x413387?, {0x164c598?, 0xc000198000?}, 0x1e72401?)\n\t/usr/local/go/src/net/http/server.go:2084 +0x2f\ngithub.com/go-chi/chi/v5.(*ChainHandler).ServeHTTP(0x164d030?, {0x164c598?, 0xc000198000?}, 0x1e724c0?)\n\t/github/home/go/pkg/mod/github.com/go-chi/chi/[email protected]/chain.go:31 +0x2c\ngithub.c
  • build(deps): bump minimist and mocha

    build(deps): bump minimist and mocha

    Bumps minimist to 1.2.7 and updates ancestor dependency mocha. These dependencies need to be updated together.

    Updates minimist from 1.2.5 to 1.2.7

    Changelog

    Sourced from minimist's changelog.

    v1.2.7 - 2022-10-10

    Commits

    • [meta] add auto-changelog 0ebf4eb
    • [actions] add reusable workflows e115b63
    • [eslint] add eslint; rules to enable later are warnings f58745b
    • [Dev Deps] switch from covert to nyc ab03356
    • [readme] rename and add badges 236f4a0
    • [meta] create FUNDING.yml; add funding in package.json 783a49b
    • [meta] use npmignore to autogenerate an npmignore file f81ece6
    • Only apps should have lockfiles 56cad44
    • [Dev Deps] update covert, tape; remove unnecessary tap 49c5f9f
    • [Tests] add aud in posttest 228ae93
    • [meta] add safe-publish-latest 01fc23f
    • [meta] update repo URLs 6b164c7

    v1.2.6 - 2022-03-21

    Commits

    • test from prototype pollution PR bc8ecee
    • isConstructorOrProto adapted from PR c2b9819
    • security notice for additional prototype pollution issue ef88b93
    Commits
    • c590d75 v1.2.7
    • 0ebf4eb [meta] add auto-changelog
    • e115b63 [actions] add reusable workflows
    • 01fc23f [meta] add safe-publish-latest
    • f58745b [eslint] add eslint; rules to enable later are warnings
    • 228ae93 [Tests] add aud in posttest
    • 236f4a0 [readme] rename and add badges
    • ab03356 [Dev Deps] switch from covert to nyc
    • 49c5f9f [Dev Deps] update covert, tape; remove unnecessary tap
    • 783a49b [meta] create FUNDING.yml; add funding in package.json
    • Additional commits viewable in compare view
    Maintainer changes

    This version was pushed to npm by ljharb, a new releaser for minimist since your current version.


    Updates mocha from 5.2.0 to 10.1.0

    Release notes

    Sourced from mocha's releases.

    v10.1.0

    10.1.0 / 2022-10-16

    :tada: Enhancements

    :nut_and_bolt: Other

    v10.0.0

    10.0.0 / 2022-05-01

    :boom: Breaking Changes

    :nut_and_bolt: Other

    Also thanks to @​ea2305 and @​SukkaW for improvements to our documentation.

    v9.2.2

    9.2.2 / 2022-03-11

    Please also note our announcements.

    :bug: Fixes

    ... (truncated)

    Changelog

    Sourced from mocha's changelog.

    10.1.0 / 2022-10-16

    :tada: Enhancements

    :nut_and_bolt: Other

    10.0.0 / 2022-05-01

    :boom: Breaking Changes

    :nut_and_bolt: Other

    Also thanks to @​ea2305 and @​SukkaW for improvements to our documentation.

    9.2.2 / 2022-03-11

    :bug: Fixes

    :nut_and_bolt: Other

    ... (truncated)

    Commits
    • 5f96d51 build(v10.1.0): release
    • ed74f16 build(v10.1.0): update CHANGELOG
    • 51d4746 chore(devDeps): update 'ESLint' to v8 (#4926)
    • 4e06a6f fix(browser): increase contrast for replay buttons (#4912)
    • 41567df Support prefers-color-scheme: dark (#4896)
    • 61b4b92 fix the regular expression for function clean in utils.js (#4770)
    • 77c18d2 chore: use standard 'Promise.allSettled' instead of polyfill (#4905)
    • 84b2f84 chore(ci): upgrade GH actions to latest versions (#4899)
    • 023f548 build(v10.0.0): release
    • 62b1566 build(v10.0.0): update CHANGELOG
    • Additional commits viewable in compare view
    Maintainer changes

    This version was pushed to npm by juergba, a new releaser for mocha since your current version.


    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

  • build(deps): bump moment from 2.29.2 to 2.29.4

    build(deps): bump moment from 2.29.2 to 2.29.4

    Bumps moment from 2.29.2 to 2.29.4.

    Changelog

    Sourced from moment's changelog.

    2.29.4

    • Release Jul 6, 2022
      • #6015 [bugfix] Fix ReDoS in preprocessRFC2822 regex

    2.29.3 Full changelog

    • Release Apr 17, 2022
      • #5995 [bugfix] Remove const usage
      • #5990 misc: fix advisory link
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

  • build(deps): bump moment from 2.23.0 to 2.29.2

    build(deps): bump moment from 2.23.0 to 2.29.2

    Bumps moment from 2.23.0 to 2.29.2.

    Changelog

    Sourced from moment's changelog.

    2.29.2 See full changelog

    • Release Apr 3 2022

    Address https://github.com/advisories/GHSA-8hfj-j24r-96c4

    2.29.1 See full changelog

    • Release Oct 6, 2020

    Updated deprecation message, bugfix in hi locale

    2.29.0 See full changelog

    • Release Sept 22, 2020

    New locales (es-mx, bn-bd). Minor bugfixes and locale improvements. More tests. Moment is in maintenance mode. Read more at this link: https://momentjs.com/docs/#/-project-status/

    2.28.0 See full changelog

    • Release Sept 13, 2020

    Fix bug where .format() modifies original instance, and locale updates

    2.27.0 See full changelog

    • Release June 18, 2020

    Added Turkmen locale, other locale improvements, slight TypeScript fixes

    2.26.0 See full changelog

    • Release May 19, 2020

    TypeScript fixes and many locale improvements

    2.25.3

    • Release May 4, 2020

    Remove package.json module property. It looks like webpack behaves differently for modules loaded via module vs jsnext:main.

    2.25.2

    • Release May 4, 2020

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

  • 同学,您这个项目引入了468个开源组件,存在5个漏洞,辛苦升级一下

    同学,您这个项目引入了468个开源组件,存在5个漏洞,辛苦升级一下

    检测到 aldor007/mort 一共引入了468个开源组件,存在5个漏洞

    漏洞标题:jwt-go 安全漏洞
缺陷组件:github.com/dgrijalva/[email protected]+incompatible
漏洞编号:CVE-2020-26160
漏洞描述:jwt-go是个人开发者的一个Go语言的JWT实现。
jwt-go 4.0.0-preview1之前版本存在安全漏洞。攻击者可利用该漏洞在使用[]string{} for m[\"aud\"](规范允许)的情况下绕过预期的访问限制。
影响范围:(∞, 4.0.0-preview1)
最小修复版本:4.0.0-preview1
缺陷组件引入路径:main@->github.com/dgrijalva/[email protected]+incompatible

    另外还有5个漏洞,详细报告:https://mofeisec.com/jr?p=a2f25d

  • chore(deps): bump ajv from 6.6.2 to 6.12.6

    chore(deps): bump ajv from 6.6.2 to 6.12.6

    Bumps ajv from 6.6.2 to 6.12.6.

    Release notes

    Sourced from ajv's releases.

    v6.12.6

    Fix performance issue of "url" format.

    v6.12.5

    Fix uri scheme validation (@​ChALkeR). Fix boolean schemas with strictKeywords option (#1270)

    v6.12.4

    Fix: coercion of one-item arrays to scalar that should fail validation (failing example).

    v6.12.3

    Pass schema object to processCode function Option for strictNumbers (@​issacgerges, #1128) Fixed vulnerability related to untrusted schemas (CVE-2020-15366)

    v6.12.2

    Removed post-install script

    v6.12.1

    Docs and dependency updates

    v6.12.0

    Improved hostname validation (@​sambauers, #1143) Option keywords to add custom keywords (@​franciscomorais, #1137) Types fixes (@​boenrobot, @​MattiAstedrone) Docs:

    v6.11.0

    Time formats support two digit and colon-less variants of timezone offset (#1061 , @​cjpillsbury) Docs: RegExp related security considerations Tests: Disabled failing typescript test

    v6.10.2

    Fix: the unknown keywords were ignored with the option strictKeywords: true (instead of failing compilation) in some sub-schemas (e.g. anyOf), when the sub-schema didn't have known keywords.

    v6.10.1

    Fix types Fix addSchema (#1001) Update dependencies

    v6.10.0

    Option strictDefaults to report ignored defaults (#957, @​not-an-aardvark) Option strictKeywords to report unknown keywords (#781)

    v6.9.0

    OpenAPI keyword nullable can be any boolean (and not only true). Custom keyword definition changes:

    • dependencies option in to require the presence of keywords in the same schema.

    ... (truncated)

    Commits
    • fe59143 6.12.6
    • d580d3e Merge pull request #1298 from ajv-validator/fix-url
    • fd36389 fix: regular expression for "url" format
    • 490e34c docs: link to v7-beta branch
    • 9cd93a1 docs: note about v7 in readme
    • 877d286 Merge pull request #1262 from b4h0-c4t/refactor-opt-object-type
    • f1c8e45 6.12.5
    • 764035e Merge branch 'ChALkeR-chalker/fix-comma'
    • 3798160 Merge branch 'chalker/fix-comma' of git://github.com/ChALkeR/ajv into ChALkeR...
    • a3c7eba Merge branch 'refactor-opt-object-type' of github.com:b4h0-c4t/ajv into refac...
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

  • build(deps): bump qs from 6.5.2 to 6.5.3

    build(deps): bump qs from 6.5.2 to 6.5.3

    Bumps qs from 6.5.2 to 6.5.3.

    Changelog

    Sourced from qs's changelog.

    6.5.3

    • [Fix] parse: ignore __proto__ keys (#428)
    • [Fix] utils.merge`: avoid a crash with a null target and a truthy non-array source
    • [Fix] correctly parse nested arrays
    • [Fix] stringify: fix a crash with strictNullHandling and a custom filter/serializeDate (#279)
    • [Fix] utils: merge: fix crash when source is a truthy primitive & no options are provided
    • [Fix] when parseArrays is false, properly handle keys ending in []
    • [Fix] fix for an impossible situation: when the formatter is called with a non-string value
    • [Fix] utils.merge: avoid a crash with a null target and an array source
    • [Refactor] utils: reduce observable [[Get]]s
    • [Refactor] use cached Array.isArray
    • [Refactor] stringify: Avoid arr = arr.concat(...), push to the existing instance (#269)
    • [Refactor] parse: only need to reassign the var once
    • [Robustness] stringify: avoid relying on a global undefined (#427)
    • [readme] remove travis badge; add github actions/codecov badges; update URLs
    • [Docs] Clean up license text so it’s properly detected as BSD-3-Clause
    • [Docs] Clarify the need for "arrayLimit" option
    • [meta] fix README.md (#399)
    • [meta] add FUNDING.yml
    • [actions] backport actions from main
    • [Tests] always use String(x) over x.toString()
    • [Tests] remove nonexistent tape option
    • [Dev Deps] backport from main
    Commits
    • 298bfa5 v6.5.3
    • ed0f5dc [Fix] parse: ignore __proto__ keys (#428)
    • 691e739 [Robustness] stringify: avoid relying on a global undefined (#427)
    • 1072d57 [readme] remove travis badge; add github actions/codecov badges; update URLs
    • 12ac1c4 [meta] fix README.md (#399)
    • 0338716 [actions] backport actions from main
    • 5639c20 Clean up license text so it’s properly detected as BSD-3-Clause
    • 51b8a0b add FUNDING.yml
    • 45f6759 [Fix] fix for an impossible situation: when the formatter is called with a no...
    • f814a7f [Dev Deps] backport from main
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

Related tags
Images tools go docker golang dockerfile resize png storage jpeg s3 image-processing webp libvips resize-images crop-image tranform
Image - This repository holds supplementary Go image librariesThis repository holds supplementary Go image libraries

Go Images This repository holds supplementary Go image libraries. Download/Insta

Jan 5, 2022
Image processing library and rendering toolkit for Go.

blend Image processing library and rendering toolkit for Go. (WIP) Installation: This library is compatible with Go1. go get github.com/phrozen/blend

Nov 11, 2022
A lightning fast image processing and resizing library for Go

govips A lightning fast image processing and resizing library for Go This package wraps the core functionality of libvips image processing library by

Jan 8, 2023
Image processing algorithms in pure Go
 Image processing algorithms in pure Go

bild A collection of parallel image processing algorithms in pure Go. The aim of this project is simplicity in use and development over absolute high

Jan 6, 2023
Go package for fast high-level image processing powered by libvips C library

bimg Small Go package for fast high-level image processing using libvips via C bindings, providing a simple programmatic API. bimg was designed to be

Jan 2, 2023
Fast, simple, scalable, Docker-ready HTTP microservice for high-level image processing

imaginary Fast HTTP microservice written in Go for high-level image processing backed by bimg and libvips. imaginary can be used as private or public

Jan 3, 2023
Imaging is a simple image processing package for Go
 Imaging is a simple image processing package for Go

Imaging Package imaging provides basic image processing functions (resize, rotate, crop, brightness/contrast adjustments, etc.). All the image process

Dec 30, 2022
A library for basic image processing in Go.
 A library for basic image processing in Go.

Imaging Package imaging provides basic image processing functions (resize, rotate, crop, brightness/contrast adjustments, etc.). All the image process

Nov 26, 2021
A library for basic image processing in Go.
 A library for basic image processing in Go.

Imaging Package imaging provides basic image processing functions (resize, rotate, crop, brightness/contrast adjustments, etc.). All the image process

Nov 26, 2021
An API which allows you to upload an image and responds with the same image, stripped of EXIF data

strip-metadata This is an API which allows you to upload an image and responds with the same image, stripped of EXIF data. How to run You need to have

Nov 25, 2021
Asset storage and on-the-fly image resize

air - Asset & Image Resize Asset storage and on-the-fly image resize powered by libvips. Uploading an asset $ http -f POST http://127.0.0.1:1323/uploa

Feb 5, 2022
Easily customizable Social image (or Open graph image) generator

fancycard Easily customizable Social image (or Open graph image) generator Built with Go, Gin, GoQuery and Chromedp Build & Run Simply, Clone this rep

Jan 14, 2022
Imgpreview - Tiny image previews for HTML while the original image is loading
 Imgpreview - Tiny image previews for HTML while the original image is loading

imgpreview This is a Go program that generates tiny blurry previews for images t

May 22, 2022
An image resizing server written in Go
 An image resizing server written in Go

picfit picfit is a reusable Go server to manipulate images (resize, thumbnail, etc.). It will act as a proxy on your storage engine and will be served

Dec 24, 2022
Pbm - Package ppm implements a Portable Bit Map (PBM) image decoder and encoder written in Go

Package pbm import "github.com/slashformotion/pbm" Package pbm implements a Portable Bit Map (PBM) image decoder and encoder. The supported image col

Jan 5, 2022
An image server toolkit in Go (Golang)
 An image server toolkit in Go (Golang)

Image Server An image server toolkit in Go (Golang) Features HTTP server Resize (GIFT, nfnt resize, Graphicsmagick) Rotate Crop Convert (JPEG, GIF (an

Dec 22, 2022
Pixelizer is an efficient image pixelizer written in go

Pixelizer is an image pixelizer written in go. It allows very simple and intuitive CLI pixelization. Installation To install Pixelizer, you

Nov 10, 2022
ColorX is a library to determine the most prominent color in an image written in golang

ColorX is a library to determine the most prominent color in an image. ColorX doesn't use any sort of complex algorithms to calculate the prominent color, it simply loops over the image pixels and returns the color that occurs the most.

Nov 11, 2021
Efficient moving window for high-speed data processing.

Moving Window Data Structure Copyright (c) 2012. Jake Brukhman. ([email protected]). All rights reserved. See the LICENSE file for BSD-style license. I

Sep 4, 2022