Installation

npm install sharp
yarn add sharp

Prerequisites

  • Node v4.5.0+
  • C++11 compatible compiler such as gcc 4.8+, clang 3.0+ or MSVC 2013+
  • node-gyp and its dependencies (includes Python)

Linux

Ubuntu 16.04 Build Status

libvips and its dependencies are fetched and stored within node_modules/sharp/vendor during npm install. This involves an automated HTTPS download of approximately 7MB.

Most recent Linux-based operating systems with glibc running on x64 and ARMv6+ CPUs should "just work", e.g.:

  • Debian 7, 8
  • Ubuntu 14.04, 16.04
  • Centos 7
  • Fedora
  • openSUSE 13.2
  • Archlinux
  • Raspbian Jessie
  • Amazon Linux 2017.03.1
  • Solus

To use a globally-installed version of libvips instead of the provided binaries, make sure it is at least the version listed under config.libvips in the package.json file and that it can be located using pkg-config --modversion vips-cpp.

If you are using non-stadard paths (anything other than /usr or /usr/local), you might need to set PKG_CONFIG_PATH during npm install and LD_LIBRARY_PATH at runtime.

This allows the use of newer versions of libvips with older versions of sharp.

For 32-bit Intel CPUs and older Linux-based operating systems such as Centos 6, it is recommended to install a system-wide installation of libvips from source:

https://jcupitt.github.io/libvips/install.html#building-libvips-from-a-source-tarball

Alpine Linux

libvips is available in the testing repository:

apk add vips-dev fftw-dev --update-cache --repository https://dl-3.alpinelinux.org/alpine/edge/testing/

The smaller stack size of musl libc means libvips may need to be used without a cache via sharp.cache(false) to avoid a stack overflow.

Mac OS

OS X 10.9.5 Build Status

libvips and its dependencies are fetched and stored within node_modules/sharp/vendor during npm install. This involves an automated HTTPS download of approximately 7MB.

To use your own version of libvips instead of the provided binaries, make sure it is at least the version listed under config.libvips in the package.json file and that it can be located using pkg-config --modversion vips-cpp.

Windows x64

Windows x64 Build Status

libvips and its dependencies are fetched and stored within node_modules\sharp\vendor during npm install. This involves an automated HTTPS download of approximately 12MB.

Only 64-bit (x64) node.exe is supported.

FreeBSD

libvips must be installed before npm install is run.

This can be achieved via package or ports:

pkg install -y pkgconf vips
cd /usr/ports/graphics/vips/ && make install clean

FreeBSD's gcc v4 and v5 need CXXFLAGS=-D_GLIBCXX_USE_C99 set for C++11 support due to https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=193528

Heroku

libvips and its dependencies are fetched and stored within node_modules\sharp\vendor during npm install. This involves an automated HTTPS download of approximately 7MB.

Set NODE_MODULES_CACHE to false when using the yarn package manager.

Docker

Marc Bachmann maintains an Ubuntu-based Dockerfile for libvips.

docker pull marcbachmann/libvips

Will Jordan maintains an Alpine-based Dockerfile for libvips.

docker pull wjordan/libvips

Tailor Brands maintain Debian-based Dockerfiles for libvips and nodejs.

docker pull tailor/docker-libvips

AWS Lambda

A deployment package for the Lambda Execution Environment can be built using Docker.

rm -rf node_modules/sharp
docker run -v "$PWD":/var/task lambci/lambda:build-nodejs6.10 npm install

Set the Lambda runtime to Node.js 6.10.

To get the best performance select the largest memory available. A 1536 MB function provides ~12x more CPU time than a 128 MB function.

Build tools

Coding tools

CLI tools

Security

Many users of this module process untrusted, user-supplied images, but there are aspects of security to consider when doing so.

It is possible to compile libvips with support for various third-party image loaders. Each of these libraries has undergone differing levels of security testing.

Whilst tools such as American Fuzzy Lop and Valgrind have been used to test the most popular web-based formats, as well as libvips itself, you are advised to perform your own testing and sandboxing.

ImageMagick in particular has a relatively large attack surface, which can be partially mitigated with a policy.xml configuration file to prevent the use of coders known to be vulnerable.

<policymap>
  <policy domain="coder" rights="none" pattern="EPHEMERAL" />
  <policy domain="coder" rights="none" pattern="URL" />
  <policy domain="coder" rights="none" pattern="HTTPS" />
  <policy domain="coder" rights="none" pattern="MVG" />
  <policy domain="coder" rights="none" pattern="MSL" />
  <policy domain="coder" rights="none" pattern="TEXT" />
  <policy domain="coder" rights="none" pattern="SHOW" />
  <policy domain="coder" rights="none" pattern="WIN" />
  <policy domain="coder" rights="none" pattern="PLT" />
</policymap>

Set the MAGICK_CONFIGURE_PATH environment variable to the directory containing the policy.xml file.

Pre-compiled libvips binaries

If a global installation of libvips that meets the minimum version requirement cannot be found, this module will attempt to download a pre-compiled bundle of libvips and its dependencies on Linux and Windows machines.

Should you need to manually download and inspect these files, you can do so via https://github.com/lovell/sharp-libvips/releases

Should you wish to install these from your own location, set the SHARP_DIST_BASE_URL environment variable, e.g.

SHARP_DIST_BASE_URL="https://hostname/path/" npm install sharp

to use https://hostname/path/libvips-x.y.z-platform.tar.gz.

Licences

This module is licensed under the terms of the Apache 2.0 Licence.

The libraries downloaded and used by this module are done so under the terms of the following licences, all of which are compatible with the Apache 2.0 Licence.

Use of libraries under the terms of the LGPLv3 is via the "any later version" clause of the LGPLv2 or LGPLv2.1.

Library Used under the terms of
cairo Mozilla Public License 2.0
expat MIT Licence
fontconfig fontconfig Licence (BSD-like)
freetype freetype Licence (BSD-like)
giflib MIT Licence
glib LGPLv3
harfbuzz MIT Licence
lcms MIT Licence
libcroco LGPLv3
libexif LGPLv3
libffi MIT Licence
libgsf LGPLv3
libjpeg-turbo zlib License, IJG License
libpng libpng License
librsvg LGPLv3
libtiff libtiff License (BSD-like)
libvips LGPLv3
libwebp New BSD License
libxml2 MIT Licence
pango LGPLv3
pixman MIT Licence
zlib zlib Licence