You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I just made a fresh project with blitz.js 2.1.1, and it contains 5 high severity package vulnerabilities.
Are these not an actual problem?
$ npm audit
# npm audit report
braces <3.0.3
Severity: high
Uncontrolled resource consumption in braces - https://github.com/advisories/GHSA-grv7-fg5c-xmjg
fix available via `npm audit fix`
node_modules/jscodeshift/node_modules/braces
micromatch <=4.0.7
Depends on vulnerable versions of braces
node_modules/jscodeshift/node_modules/micromatch
jscodeshift 0.3.20 - 0.13.1
Depends on vulnerable versions of micromatch
node_modules/jscodeshift
@blitzjs/generator <=0.0.0-turbopack-20240403083540 || >=0.17.1-canary.0
Depends on vulnerable versions of jscodeshift
Depends on vulnerable versions of zod
node_modules/@blitzjs/generator
next 14.0.0 - 14.2.9
Severity: high
Next.js Cache Poisoning - https://github.com/advisories/GHSA-gp8f-8m3g-qvj9
fix available via `npm audit fix --force`
Will install next@14.2.13, which is outside the stated dependency range
node_modules/next
node-fetch 3.0.0 - 3.2.9
Severity: moderate
node-fetch Inefficient Regular Expression Complexity - https://github.com/advisories/GHSA-vp56-6g26-6827
fix available via `npm audit fix`
node_modules/node-fetch
semver 7.0.0 - 7.5.1
Severity: high
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install blitz@0.45.5, which is a breaking change
node_modules/blitz/node_modules/semver
blitz <=0.0.0-turbopack-20240403083540 || >=2.0.0-alpha.1
Depends on vulnerable versions of @blitzjs/generator
Depends on vulnerable versions of jscodeshift
Depends on vulnerable versions of node-fetch
Depends on vulnerable versions of semver
Depends on vulnerable versions of tar
node_modules/blitz
tar <6.2.1
Severity: moderate
Denial of service while parsing a tar file due to lack of folders count validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
fix available via `npm audit fix`
node_modules/tar
zod <=3.22.2
Severity: moderate
Zod denial of service vulnerability - https://github.com/advisories/GHSA-m95q-7qp3-xv42
fix available via `npm audit fix`
node_modules/@blitzjs/generator/node_modules/zod
10 vulnerabilities (5 moderate, 5 high)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
What is the problem?
I just made a fresh project with blitz.js 2.1.1, and it contains 5 high severity package vulnerabilities.
Are these not an actual problem?
Paste all your error logs here:
Paste all relevant code snippets here:
What are detailed steps to reproduce this?
Run
blitz -v
and paste the output here:$ blitz -v
Blitz version: 2.1.1 (global)
Blitz version: 2.1.1 (local)
macOS Sequoia | darwin-arm64 | Node: v22.3.0
Package manager: npm
System:
OS: macOS 15.0
CPU: (10) arm64 Apple M1 Max
Memory: 1.27 GB / 32.00 GB
Shell: 3.2.57 - /bin/bash
Binaries:
Node: 22.3.0 - /opt/homebrew/bin/node
Yarn: Not Found
npm: 10.8.1 - /opt/homebrew/bin/npm
npmPackages:
@blitzjs/auth: 2.1.1 => 2.1.1
@blitzjs/next: 2.1.1 => 2.1.1
@blitzjs/rpc: 2.1.1 => 2.1.1
@prisma/client: 5.4.2 => 5.4.2
blitz: 2.1.1 => 2.1.1
next: 14.1.4 => 14.1.4
prisma: 5.4.2 => 5.4.2
react: 18.2.0 => 18.2.0
react-dom: 18.2.0 => 18.2.0
typescript: ^4.8.4 => 4.9.5
Please include below any other applicable logs and screenshots that show your problem:
No response
The text was updated successfully, but these errors were encountered: