Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. ItΒ collects links to all the places you might be looking at while hunting down a tough bug.
And, if youβre still stuck at the end, weβre happy to hop on a call to see how we can help out.
Dependabot alerts
See original GitHub issueDescribe the bug
After installing a new instance of the studio and pushing the code to a GitHub repository, got a few dependabot alerts. As follows:
- https://github.com/advisories/GHSA-9qmh-276g-x5pj
- https://github.com/advisories/GHSA-p9pc-299p-vxgp
- https://github.com/advisories/GHSA-4xcv-9jjx-gfj3
To Reproduce
Steps to reproduce the behavior:
- Install the latest version of Studio (currently v2.10.2) with
sanity init - Push the code to an empty GitHub repository with dependabot alerts enabled
- Get the alerts related to the 3 mentioned vulnerabilities
Expected behavior
Iβd expect to see no vulnerabilities.
Screenshots
N/A
Which versions of Sanity are you using?
@sanity/cli 2.10.0 (up to date)
@sanity/base 2.10.2 (up to date)
@sanity/components 2.2.6 (up to date)
@sanity/core 2.10.2 (up to date)
@sanity/default-layout 2.10.2 (up to date)
@sanity/default-login 2.8.0 (up to date)
@sanity/desk-tool 2.10.2 (up to date)
@sanity/vision 2.10.0 (up to date)
What operating system are you using?
macOS 11.3 (20E232)
Which versions of Node.js / npm are you running?
6.14.11
v12.18.3
Additional context
Here is the audit output:
βββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β low β Denial of Service β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Package β mem β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Patched in β >=4.0.0 β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Dependency of β @sanity/core β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Path β @sanity/core > @sanity/server > webpack > yargs > os-locale β
β β > mem β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β More info β https://www.npmjs.com/advisories/1084 β
βββββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β low β Prototype Pollution β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Package β yargs-parser β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Patched in β >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2 β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Dependency of β @sanity/core β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Path β @sanity/core > @sanity/server > webpack > yargs > β
β β yargs-parser β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β More info β https://www.npmjs.com/advisories/1500 β
βββββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β high β Prototype Pollution β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Package β immer β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Patched in β >=8.0.1 β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Dependency of β @sanity/desk-tool β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Path β @sanity/desk-tool > @sanity/form-builder > β
β β @sanity/portable-text-editor > slate > immer β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β More info β https://www.npmjs.com/advisories/1603 β
βββββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
3 vulnerabilities found - Packages audited: 1480
Severity: 2 Low | 1 High
Security issue?
This is not a security issue directly related to Sanity but to third-party packages on which Sanity depends.
Issue Analytics
- State:
- Created 2 years ago
- Reactions:8
- Comments:8 (1 by maintainers)
Top Results From Across the Web
About Dependabot alerts - GitHub Docs
GitHub sends Dependabot alerts when we detect that your repository uses a vulnerable dependency or malware.
Read more >5 tips for prioritizing Dependabot alerts | The GitHub Blog
Dependabot alerts can give you the ability to secure your project by keeping dependency-based vulnerabilities out of your code.
Read more >[AskJS] Do you ignore dependabot alerts on Github? - Reddit
I am a bit guilty since I tend to ignore dependabot alerts on Github about vulnerable dependencies. The main issue for me isβ¦...
Read more >Dependabot alerts for a given vulnerability - GitHub Checkout
Show Notes From software composition reports, we know that most applications rely on dozens or even hundreds of open source dependencies.
Read more >GitHub now sends Dependabot alerts for vulnerable Actions
GitHub has announced that it will begin sending Dependabot alerts when it detects vulnerable GitHub Actions.
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
The immer.js dependency is now gone π
19 vulnerabilities as of today. Is fixing this on the roadmap?