10 vulnerabilities (5 moderate, 5 high) in a fresh blitz.js project

[ebadta81]

What is the problem?

I just made a fresh project with blitz.js 2.1.1, and it contains 5 high severity package vulnerabilities.

Are these not an actual problem?

$ npm audit 
# npm audit report

braces  <3.0.3
Severity: high
Uncontrolled resource consumption in braces - https://github.com/advisories/GHSA-grv7-fg5c-xmjg
fix available via `npm audit fix`
node_modules/jscodeshift/node_modules/braces
  micromatch  <=4.0.7
  Depends on vulnerable versions of braces
  node_modules/jscodeshift/node_modules/micromatch
    jscodeshift  0.3.20 - 0.13.1
    Depends on vulnerable versions of micromatch
    node_modules/jscodeshift
      @blitzjs/generator  <=0.0.0-turbopack-20240403083540 || >=0.17.1-canary.0
      Depends on vulnerable versions of jscodeshift
      Depends on vulnerable versions of zod
      node_modules/@blitzjs/generator


next  14.0.0 - 14.2.9
Severity: high
Next.js Cache Poisoning - https://github.com/advisories/GHSA-gp8f-8m3g-qvj9
fix available via `npm audit fix --force`
Will install [email protected], which is outside the stated dependency range
node_modules/next

node-fetch  3.0.0 - 3.2.9
Severity: moderate
node-fetch Inefficient Regular Expression Complexity  - https://github.com/advisories/GHSA-vp56-6g26-6827
fix available via `npm audit fix`
node_modules/node-fetch

semver  7.0.0 - 7.5.1
Severity: high
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/blitz/node_modules/semver
  blitz  <=0.0.0-turbopack-20240403083540 || >=2.0.0-alpha.1
  Depends on vulnerable versions of @blitzjs/generator
  Depends on vulnerable versions of jscodeshift
  Depends on vulnerable versions of node-fetch
  Depends on vulnerable versions of semver
  Depends on vulnerable versions of tar
  node_modules/blitz

tar  <6.2.1
Severity: moderate
Denial of service while parsing a tar file due to lack of folders count validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
fix available via `npm audit fix`
node_modules/tar

zod  <=3.22.2
Severity: moderate
Zod denial of service vulnerability - https://github.com/advisories/GHSA-m95q-7qp3-xv42
fix available via `npm audit fix`
node_modules/@blitzjs/generator/node_modules/zod

10 vulnerabilities (5 moderate, 5 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force 

Paste all your error logs here:

PASTE_HERE (leave the ``` marks)

Paste all relevant code snippets here:

PASTE_HERE (leave the ``` marks)

What are detailed steps to reproduce this?

1. npm install -g blitz
2. blitz new myAppName with default options
3. cd myAppName
4. npm audit

Run blitz -v and paste the output here:

$ blitz -v
Blitz version: 2.1.1 (global)
Blitz version: 2.1.1 (local)
macOS Sequoia | darwin-arm64 | Node: v22.3.0

Package manager: npm

System:
OS: macOS 15.0
CPU: (10) arm64 Apple M1 Max
Memory: 1.27 GB / 32.00 GB
Shell: 3.2.57 - /bin/bash
Binaries:
Node: 22.3.0 - /opt/homebrew/bin/node
Yarn: Not Found
npm: 10.8.1 - /opt/homebrew/bin/npm
npmPackages:
@blitzjs/auth: 2.1.1 => 2.1.1
@blitzjs/next: 2.1.1 => 2.1.1
@blitzjs/rpc: 2.1.1 => 2.1.1
@prisma/client: 5.4.2 => 5.4.2
blitz: 2.1.1 => 2.1.1
next: 14.1.4 => 14.1.4
prisma: 5.4.2 => 5.4.2
react: 18.2.0 => 18.2.0
react-dom: 18.2.0 => 18.2.0
typescript: ^4.8.4 => 4.9.5

Please include below any other applicable logs and screenshots that show your problem:

No response

[ebadta81]

Hi,

$ blitz --version
Blitz version: 2.1.3 (global)
Blitz version: 2.1.3 (local)

10 vulnerabilities (2 low, 4 moderate, 4 high)

This patch Didn't reslove most of the vulnerabilities.