Freshly created JSS nextjs starter has critical security vulnerabilities - update/remove graphql-let dependency to resolve #2086
Description
Describe the Bug
A freshly installed JSS app using the built-in nextjs starter has the following critical vulnerabilities:
- CVE-2023-45133 (Critical Severity) - Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code
- CVE-2022-37601 (Critical Severity)- Prototype pollution in webpack loader-utils
- CVE-2022-37603 (High Severity) - loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable
- CVE-2022-37599 (High Severity) - loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)
- CVE-2021-44906 (Critical Severity) - Prototype Pollution in minimist
All of these stem from the use of graphql-let. Can graphql-let be updated or removed as a dependency to address the critical vulnerabilities in the codebase?
To Reproduce
- Install a fresh copy of JSS using the command
npx [email protected] nextjs - Within the newly created JSS starter app run
npm audit - Note the critical vulnerabilities reported:
❯ npm audit
# npm audit report
@babel/traverse <7.23.2
Severity: critical
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code - https://github.com/advisories/GHSA-67hx-6x53-jw92
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/graphql-let/node_modules/@babel/traverse
graphql-let >=0.18.5
Depends on vulnerable versions of @babel/traverse
Depends on vulnerable versions of loader-utils
Depends on vulnerable versions of minimist
node_modules/graphql-let
loader-utils 2.0.0 - 2.0.3
Severity: critical
Prototype pollution in webpack loader-utils - https://github.com/advisories/GHSA-76p3-8jx3-jpfq
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable - https://github.com/advisories/GHSA-3rfm-jhwj-7488
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-hhq3-ff78-jv3g
fix available via `npm audit fix`
node_modules/loader-utils
minimist 1.0.0 - 1.2.5
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
fix available via `npm audit fix`
node_modules/minimist
4 critical severity vulnerabilities
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --forceExpected Behavior
A fresh install should not have dependencies that have critical security vulnerabilities.
Possible Fix
Can graphql-let be updated or removed as a dependency to address the critical vulnerabilities in the codebase?
Provide environment information
- Sitecore Version:
- JSS Version: 22.6.0
- Browser Name and version:
- Operating System and version (desktop or mobile):
- Link to your project (if available):