Skip to content

NPM dependency vulnerability (moderate)—react-email >=3.0.4 depends on vulnerable versions of next #1856

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
danielgwilson opened this issue Jan 6, 2025 · 4 comments
Closed

NPM dependency vulnerability (moderate)—react-email >=3.0.4 depends on vulnerable versions of next #1856

danielgwilson opened this issue Jan 6, 2025 · 4 comments
Labels
Type: Bug Confirmed bug

Comments

@danielgwilson
Copy link

Describe the Bug

Getting a dependency bug currently

**# npm audit report**

**next**  15.0.0 - 15.1.1
Severity: **moderate**
**Next.js Allows a Denial of Service (DoS) with Server Actions** - https://github.com/advisories/GHSA-7m27-7ghc-44w9
**fix available** via `npm audit fix`
node_modules/react-email/node_modules/next
  **react-email**  >=3.0.4
  Depends on vulnerable versions of next
  node_modules/react-email

Which package is affected (leave empty if unsure)

No response

Link to the code that reproduces this issue

npm i

To Reproduce

Install package with Next 15

Expected Behavior

No vulnerability warnings

What's your node version? (if relevant)

22.12.0
@danielgwilson danielgwilson added the Type: Bug Confirmed bug label Jan 6, 2025
@danielgwilson
Copy link
Author

(With npm 11.0.0)

@javirln
Copy link

javirln commented Jan 7, 2025

I was going to report the same thanks @danielgwilson!

It seems the affected CVE is the following: https://nvd.nist.gov/vuln/detail/CVE-2024-56332

@apergy
Copy link

apergy commented Jan 7, 2025
edited
Loading

Look like we need this to pass and then release be5c48d.

@gabrielmfern
Copy link
Collaborator

Just released a new stable version with this fixed! [email protected].

@richardsimko richardsimko mentioned this issue Mar 29, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type: Bug Confirmed bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@apergy @javirln @danielgwilson @gabrielmfern