-
-
Notifications
You must be signed in to change notification settings - Fork 1.7k
Closed
Labels
Description
Is there an existing issue for this?
- I have checked for existing issues https://github.com/getsentry/sentry-javascript/issues
- I have reviewed the documentation https://docs.sentry.io/
- I am using the latest SDK release https://github.com/getsentry/sentry-javascript/releases
How do you use Sentry?
Sentry Saas (sentry.io)
Which SDK are you using?
@sentry/nextjs
SDK Version
8.30.0
Framework Version
sentry/nextjs: 8.30.0, next: 14.2.12
Link to Sentry event
No response
Reproduction Example/SDK Setup
No response
Steps to Reproduce
- Install @sentry/[email protected].
- An npm warning appears post-installation regarding the rollup dependency vulnerability flagged in the advisory GHSA-gcx4-mw62-g8wm.
- Run
npm ls rollup
to check dependency versions. - Notice that @sentry/nextjs is pulling in [email protected].
Expected Result
The latest version of @sentry/nextjs should use a non-vulnerable version of rollup, preferably >=3.29.5 or later.
Actual Result
@sentry/nextjs depends on [email protected] through sub-dependencies, which is flagged by npm audit for a high-severity XSS vulnerability.
v11t, maiconcarraro and HaiTranDF
Metadata
Metadata
Assignees
Labels
Projects
Status
Waiting for: Product Owner