Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

10 vulnerabilities (5 moderate, 5 high) in a fresh blitz.js project #4378

Closed
ebadta81 opened this issue Sep 30, 2024 · 1 comment · Fixed by #4380
Closed

10 vulnerabilities (5 moderate, 5 high) in a fresh blitz.js project #4378

ebadta81 opened this issue Sep 30, 2024 · 1 comment · Fixed by #4380
Labels

Comments

@ebadta81
Copy link

What is the problem?

I just made a fresh project with blitz.js 2.1.1, and it contains 5 high severity package vulnerabilities.

Are these not an actual problem?

$ npm audit 
# npm audit report

braces  <3.0.3
Severity: high
Uncontrolled resource consumption in braces - https://github.com/advisories/GHSA-grv7-fg5c-xmjg
fix available via `npm audit fix`
node_modules/jscodeshift/node_modules/braces
  micromatch  <=4.0.7
  Depends on vulnerable versions of braces
  node_modules/jscodeshift/node_modules/micromatch
    jscodeshift  0.3.20 - 0.13.1
    Depends on vulnerable versions of micromatch
    node_modules/jscodeshift
      @blitzjs/generator  <=0.0.0-turbopack-20240403083540 || >=0.17.1-canary.0
      Depends on vulnerable versions of jscodeshift
      Depends on vulnerable versions of zod
      node_modules/@blitzjs/generator


next  14.0.0 - 14.2.9
Severity: high
Next.js Cache Poisoning - https://github.com/advisories/GHSA-gp8f-8m3g-qvj9
fix available via `npm audit fix --force`
Will install next@14.2.13, which is outside the stated dependency range
node_modules/next

node-fetch  3.0.0 - 3.2.9
Severity: moderate
node-fetch Inefficient Regular Expression Complexity  - https://github.com/advisories/GHSA-vp56-6g26-6827
fix available via `npm audit fix`
node_modules/node-fetch

semver  7.0.0 - 7.5.1
Severity: high
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install blitz@0.45.5, which is a breaking change
node_modules/blitz/node_modules/semver
  blitz  <=0.0.0-turbopack-20240403083540 || >=2.0.0-alpha.1
  Depends on vulnerable versions of @blitzjs/generator
  Depends on vulnerable versions of jscodeshift
  Depends on vulnerable versions of node-fetch
  Depends on vulnerable versions of semver
  Depends on vulnerable versions of tar
  node_modules/blitz

tar  <6.2.1
Severity: moderate
Denial of service while parsing a tar file due to lack of folders count validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
fix available via `npm audit fix`
node_modules/tar

zod  <=3.22.2
Severity: moderate
Zod denial of service vulnerability - https://github.com/advisories/GHSA-m95q-7qp3-xv42
fix available via `npm audit fix`
node_modules/@blitzjs/generator/node_modules/zod

10 vulnerabilities (5 moderate, 5 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force 

Paste all your error logs here:

PASTE_HERE (leave the ``` marks)

Paste all relevant code snippets here:

PASTE_HERE (leave the ``` marks)

What are detailed steps to reproduce this?

  1. npm install -g blitz
  2. blitz new myAppName with default options
  3. cd myAppName
  4. npm audit

Run blitz -v and paste the output here:

$ blitz -v
Blitz version: 2.1.1 (global)
Blitz version: 2.1.1 (local)
macOS Sequoia | darwin-arm64 | Node: v22.3.0

Package manager: npm

System:
OS: macOS 15.0
CPU: (10) arm64 Apple M1 Max
Memory: 1.27 GB / 32.00 GB
Shell: 3.2.57 - /bin/bash
Binaries:
Node: 22.3.0 - /opt/homebrew/bin/node
Yarn: Not Found
npm: 10.8.1 - /opt/homebrew/bin/npm
npmPackages:
@blitzjs/auth: 2.1.1 => 2.1.1
@blitzjs/next: 2.1.1 => 2.1.1
@blitzjs/rpc: 2.1.1 => 2.1.1
@prisma/client: 5.4.2 => 5.4.2
blitz: 2.1.1 => 2.1.1
next: 14.1.4 => 14.1.4
prisma: 5.4.2 => 5.4.2
react: 18.2.0 => 18.2.0
react-dom: 18.2.0 => 18.2.0
typescript: ^4.8.4 => 4.9.5

Please include below any other applicable logs and screenshots that show your problem:

No response

@ebadta81
Copy link
Author

ebadta81 commented Nov 5, 2024

Hi,

$ blitz --version
Blitz version: 2.1.3 (global)
Blitz version: 2.1.3 (local)

10 vulnerabilities (2 low, 4 moderate, 4 high)

This patch Didn't reslove most of the vulnerabilities.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants