react-email depends on vulnerable version of next (15.1.2)

[richardsimko]

Describe the Bug

React Email depends on [email protected] which is vulnerable to an auth bypass exploit: GHSA-f82v-jwr5-mffw

It probably doesn't matter in reality since it seems to be only used for the dev server but it should be easy to update to 15.2.3 where it's been fixed

Which package is affected (leave empty if unsure)

[email protected]

Link to the code that reproduces this issue

npm i react-email && npm audit

To Reproduce

npm i react-email && npm audit

Expected Behavior

No audit failures

What's your node version? (if relevant)

No response

[dinmukhamedm]

So does 4.0.3, it is still on 15.2.2.

Huge +1 on this and #2026 in general.

[devontivona]

+1

[froilanimnida]

+1

[richardsimko]

From what I can tell this specific vulnerability has been fixed now but I still think #2026 is the way forward to prevent issues like this one in the future. Even in the updated next (15.2.3) which the latest react-email depends on there is a new vulnerability (GHSA-223j-4rm8-mrmf) which has been patched in 15.2.4

[gabrielmfern]

Closing as we updated to [email protected] on [email protected]

[richardsimko]

Right, as I mentioned technically this bug has been fixed but there's now another vulnerability, should I open a new issue for that?

[gabrielmfern]

@richardsimko I don't think you need to right now, since we also released [email protected] with the [email protected]