Hi!

This Go package vendors a version of libwebp which is vulnerable to CVE-2023-4863. Upstream released v1.3.2, but since you're still on the 1.2.x branch you might want to cherry-pick the fix from the 1.2.4 branch if it's easier than bumping to a new minor: https://github.com/webmproject/libwebp/tree/1.2.4 (webmproject/libwebp@8bacd63)

Once that's done could you tag a new version of this package so older versions can be marked as vulnerable?

Thank you!
Best,