Internet Technologist based in London, UK
All content is licensed under CC BY-NC-SA 4.0
| Website | https://lovell.info |
| GitHub | https://github.com/lovell |
A huge thank you to everyone that has donated money to help maintain the open source image processing software libvips.
For those who work at companies that support open source software via GitHub Sponsors, you can now do so at https://github.com/sponsors/libvips
This is linked to the existing @opencollective at https://opencollective.com/libvips that we'll continue to use to help support the libvips ecosystem, both upstream and downstream.
Someone has created an imposter account pretending to be me. I won't link to it, but it uses my first name and the first 4 letters of my surname.
I've blocked and reported it. Please don't follow it.
/cc @grifferz @hasanhaja
The maintainers of the Node.js `prebuild` and `prebuild-install` packages, with over 10 million downloads each week, are planning to deprecate them shortly.
This is likely to impact a few other popular packages that depend upon them, including a couple of third party packages that wrap SQLite.
If you need to parse untrusted Content-Type headers in high performance TypeScript or JavaScript code then you may be interested in my old 2013-era media-type package, which has now been brought up to date for modern use and the latest 2025 RFC9694 guidelines.
https://www.npmjs.com/package/media-type
It can now safely parse and format Media Types ~50% faster than runtime-provided MIMEType classes and is a drop-in replacement, complete with TypeScript declarations and dual ESM/CommonJS exports.
Parse and validate RFC6838/RFC9694 media types, anything from 'text/plain' to 'application/vnd.company.app.entity-v2+xml;charset=utf8'. Latest version: 1.0.0, last published: 17 hours ago. Start using media-type in your project by running `npm i media-type`. There are 31 other projects in the npm registry using media-type.
๐ If you publish packages to the npm registry and haven't already seen its new Trusted Publisher feature, please do take a look at https://docs.npmjs.com/trusted-publishers
๐๏ธ It uses short-lived OIDC tokens to allow CI-based automation of signed publish-with-provenance.
๐ According to https://github.com/sxzz/npm-top-provenance I maintain 6 of the top 50 packages that use this feature, and those 6 packages combined have over 600 million downloads each month!
There's a new "moderate" buffer over-read vulnerability in versions of libvips prior to the latest 8.17.2 when rendering PDFs via libpoppler.
https://github.com/libvips/libvips/security/advisories/GHSA-q8px-4w5q-c2r4
The CVSSv4 severity is 5.1/10 and the reference is CVE-2025-59933.
(This does not affect sharp as its prebuilt binaries do not support PDF rendering.)
Amazon just bought over 400000 IPv4 addresses from Freenet AG in Germany.
The estimate market value is based on a rate of US$30 each but I suspect these sold for more, perhaps closer to US$20 million in total, or were part of a wider negotiation.
https://social.bgp.tools/@transfers/statuses/01K5GMPWKYVZGEVQKX4XAXKC27
h/t @fanf
"freenet Datenkommunikations GmbH" (RIPE) transferred: 194.97.160.0/21, 195.4.88.0/22, 194.97.224.0/19, 194.97.168.0/22, 194.97.32.0/19, 195.4.216.0/21, 195.4.80.0/21, 195.4.94.0/23, 89.62.0.0/16, 195.4.96.0/19, 89.60.0.0/15, 194.97.176.0/20, 89.59.0.0/16, 89.58.104.0/21, 195.4.0.0/18, 62.10...
Fresh version of the sharp image processing library out today with plenty of new features.
๐ผ๏ธ Resize images with Facebook's interpolation logic (a.k.a. Magic Kernel Sharp)
โณ More consistent AVIF encoding times (avoids slow intra block copy)
๐จ Supply custom CSS when rendering SVG
๐ท๏ธ Improved XMP metadata handling
๐ช Experimental support for Windows ARM64
Big thank you to everyone that has contributed code, bug reports and documentation improvements.
Jake Archibald
