Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Vulnerability in loader-utils version
See original GitHub issueBug report
Vulnerability of in dependency tree: minimist, dependency of loader-utils
Describe the bug
Nextjs has a dependency on loader-utils, currently using version 1.2.3. In this version of loader-utils, there is a dependency on json5, which had a dependency on minimist in a version that has a vulnarability. Loader-utils package fixed that dependency here: https://github.com/webpack/loader-utils/commit/c78786d5b540dea5e50d741557c72f2523976ef3#diff-b9cfc7f2cdf78a7f4b91a753d10865a2
Loader-utils has updated their dependency to minimist in 2.x. Hope it will be possible to upgrade to the new version?
The vulnarability is described here: https://nvd.nist.gov/vuln/detail/CVE-2020-7598#vulnCurrentDescriptionTitle https://snyk.io/vuln/SNYK-JS-MINIMIST-559764
To Reproduce
First of all the issue was found using Anchore cli After that the cause of this particular dependency was found by:
- using nextjs 9.3.0
yarn why minimist
result:
- Hoisted from "next#loader-utils#json5#minimist"
System information
- OS: docker container node:lts-alpine
- Version of Next.js: 9.3.0
Issue Analytics
- State:
- Created 3 years ago
- Comments:6 (4 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Those are different. Both have been updated, check
next@canary.See #11149
This issue has been automatically locked due to no recent activity. If you are running into a similar issue, please create a new issue with the steps to reproduce. Thank you.