refactor: merge turbopack crates into next.js #68127

Pull Request #68127 Alerts: Complete with warnings

Report	Status	Message
PR #68127 Alerts	⚠️	Found 40 project alerts

Pull request alerts notify when new issues are detected between the diff of the pull request and it's target branch.

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	CI
CVE	npm/sharp@0.30.7	CVE: GHSA-54xq-cgqr-rpm3 sharp vulnerability in libwebp dependency CVE-2023-4863 (HIGH) Affected versions: < 0.32.6 Patched version: 0.32.6	🚫
CVE	npm/jsonwebtoken@8.5.1	CVE: GHSA-8cf7-32gw-wr33 jsonwebtoken unrestricted key type could lead to legacy keys usage (HIGH) Affected versions: <= 8.5.1 Patched version: 9.0.0	🚫
CVE	npm/ws@6.2.2	CVE: GHSA-3h5v-q93c-6h6q ws affected by a DoS when handling a request with many HTTP headers (HIGH) Affected versions: >= 6.0.0, < 6.2.3 Patched version: 6.2.3	🚫
CVE	npm/dicer@0.3.0	CVE: GHSA-wm7h-9275-46v2 Crash in HeaderParser in dicer (HIGH) Affected versions: <= 0.3.1 Patched version: No patched versions	🚫
Critical CVE	npm/ejs@2.7.4	CVE: GHSA-phwq-j96m-2c2q ejs template injection vulnerability (CRITICAL) Affected versions: < 3.1.7 Patched version: 3.1.7	🚫
CVE	npm/lodash.set@4.3.2	CVE: GHSA-p6mc-m468-83gw Prototype Pollution in lodash (HIGH) Affected versions: >= 3.7.0, <= 4.3.2 Patched version: No patched versions	🚫
CVE	npm/ws@3.3.3	CVE: GHSA-3h5v-q93c-6h6q ws affected by a DoS when handling a request with many HTTP headers (HIGH) Affected versions: >= 2.1.0, < 5.2.4 Patched version: 5.2.4	🚫
Critical CVE	npm/minimist@0.0.10	CVE: GHSA-xvch-5gv4-984h Prototype Pollution in minimist (CRITICAL) Affected versions: < 0.2.4 Patched version: 0.2.4	🚫
CVE	npm/node-forge@0.10.0	CVE: GHSA-x4jg-mjrx-434g Improper Verification of Cryptographic Signature in node-forge (HIGH) Affected versions: < 1.3.0 Patched version: 1.3.0	🚫
CVE	npm/node-forge@0.10.0	CVE: GHSA-cfm4-qjh2-4765 Improper Verification of Cryptographic Signature in node-forge (HIGH) Affected versions: < 1.3.0 Patched version: 1.3.0	🚫
Critical CVE	npm/minimist@0.0.8	CVE: GHSA-xvch-5gv4-984h Prototype Pollution in minimist (CRITICAL) Affected versions: < 0.2.4 Patched version: 0.2.4	🚫
Critical CVE	npm/mongoose@5.13.15	CVE: GHSA-9m93-w8w6-76hh Mongoose Prototype Pollution vulnerability (CRITICAL) Affected versions: < 5.13.20 Patched version: 5.13.20	🚫
CVE	npm/json5@1.0.1	CVE: GHSA-9c47-m6qq-7p4h Prototype Pollution in JSON5 via Parse Method (HIGH) Affected versions: < 1.0.2 Patched version: 1.0.2	🚫
Critical CVE	npm/vm2@3.9.11	CVE: GHSA-xj72-wvfv-8985 vm2 Sandbox Escape vulnerability (CRITICAL) Affected versions: < 3.9.16 Patched version: 3.9.16	🚫
Critical CVE	npm/vm2@3.9.11	CVE: GHSA-7jxr-cg7f-gpgv vm2 vulnerable to sandbox escape (CRITICAL) Affected versions: < 3.9.15 Patched version: 3.9.15	🚫
Critical CVE	npm/vm2@3.9.11	CVE: GHSA-g644-9gfx-q4q4 vm2 Sandbox Escape vulnerability (CRITICAL) Affected versions: <= 3.9.19 Patched version: No patched versions	🚫
Critical CVE	npm/vm2@3.9.11	CVE: GHSA-whpj-8f3w-67p5 vm2 Sandbox Escape vulnerability (CRITICAL) Affected versions: < 3.9.18 Patched version: 3.9.18	🚫
Critical CVE	npm/vm2@3.9.11	CVE: GHSA-ch3r-j5x3-6q2m vm2 Sandbox Escape vulnerability (CRITICAL) Affected versions: < 3.9.17 Patched version: 3.9.17	🚫
Critical CVE	npm/vm2@3.9.11	CVE: GHSA-cchq-frgv-rjh5 vm2 Sandbox Escape vulnerability (CRITICAL) Affected versions: <= 3.9.19 Patched version: No patched versions	🚫
Critical CVE	npm/crypto-js@3.3.0	CVE: GHSA-xwcq-pm8m-c4vf crypto-js PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard (CRITICAL) Affected versions: < 4.2.0 Patched version: 4.2.0	🚫
Critical CVE	npm/underscore@1.7.0	CVE: GHSA-cf4h-3jhx-xvhq Arbitrary Code Execution in underscore (CRITICAL) Affected versions: >= 1.3.2, < 1.12.1 Patched version: 1.12.1	🚫
Critical CVE	npm/socket.io-parser@3.3.2	CVE: GHSA-qm95-pgcg-qqfq Insufficient validation when decoding a Socket.IO packet (CRITICAL) Affected versions: < 3.3.3 Patched version: 3.3.3	🚫
CVE	npm/socket.io-parser@3.3.2	CVE: GHSA-cqmj-92xf-r6r9 Insufficient validation when decoding a Socket.IO packet (HIGH) Affected versions: < 3.3.4 Patched version: 3.3.4	🚫
Critical CVE	npm/socket.io-parser@3.4.1	CVE: GHSA-qm95-pgcg-qqfq Insufficient validation when decoding a Socket.IO packet (CRITICAL) Affected versions: >= 3.4.0, < 3.4.2 Patched version: 3.4.2	🚫
CVE	npm/socket.io-parser@3.4.1	CVE: GHSA-cqmj-92xf-r6r9 Insufficient validation when decoding a Socket.IO packet (HIGH) Affected versions: >= 3.4.0, < 3.4.3 Patched version: 3.4.3	🚫
CVE	npm/dottie@2.0.2	CVE: GHSA-4gxf-g5gf-22h4 dottie vulnerable to Prototype Pollution (HIGH) Affected versions: < 2.0.4 Patched version: 2.0.4	🚫
CVE	npm/json-bigint@0.3.1	CVE: GHSA-wgfq-7857-4jcc Uncontrolled Resource Consumption in json-bigint (HIGH) Affected versions: < 1.0.0 Patched version: 1.0.0	🚫
Critical CVE	npm/chrome-launcher@0.10.7	CVE: GHSA-gp2j-mg4w-2rh5 chrome-launcher subject to OS Command Injection (CRITICAL) Affected versions: < 0.13.2 Patched version: 0.13.2	🚫
CVE	npm/ws@3.3.2	CVE: GHSA-3h5v-q93c-6h6q ws affected by a DoS when handling a request with many HTTP headers (HIGH) Affected versions: >= 2.1.0, < 5.2.4 Patched version: 5.2.4	🚫
Critical CVE	npm/xmldom@0.1.19	CVE: GHSA-crh6-fp67-6883 xmldom allows multiple root nodes in a DOM (CRITICAL) Affected versions: <= 0.6.0 Patched version: No patched versions	🚫
CVE	npm/uglify-js@2.4.24	CVE: GHSA-c9f4-xj24-8jqx Regular Expression Denial of Service in uglify-js (HIGH) Affected versions: < 2.6.0 Patched version: 2.6.0	🚫
Critical CVE	npm/sequelize@5.22.5	CVE: GHSA-vqfx-gj96-3w95 Unsafe fall-through in getWhereConditions (CRITICAL) Affected versions: < 6.28.1 Patched version: 6.28.1	🚫
Critical CVE	npm/sequelize@5.22.5	CVE: GHSA-f598-mfpv-gmfx Sequelize - Default support for “raw attributes” when using parentheses (CRITICAL) Affected versions: < 6.29.0 Patched version: 6.29.0	🚫
Critical CVE	npm/sequelize@5.22.5	CVE: GHSA-wrh9-cjv3-2hpw Sequelize vulnerable to SQL Injection via replacements (CRITICAL) Affected versions: < 6.19.1 Patched version: 6.19.1	🚫
CVE	npm/msgpackr@1.7.2	CVE: GHSA-7hpj-7hhx-2fgx msgpackr's conversion of property names to strings can trigger infinite recursion (HIGH) Affected versions: < 1.10.1 Patched version: 1.10.1	🚫
CVE	npm/dicer@0.3.1	CVE: GHSA-wm7h-9275-46v2 Crash in HeaderParser in dicer (HIGH) Affected versions: <= 0.3.1 Patched version: No patched versions	🚫
CVE	npm/sqlite3@5.1.2	CVE: GHSA-jqv5-7xpx-qj74 sqlite vulnerable to code execution due to Object coercion (HIGH) Affected versions: >= 5.0.0, < 5.1.5 Patched version: 5.1.5	🚫
CVE	npm/swig@1.4.2	CVE: GHSA-2rq5-699j-x7p6 Arbitrary local file read vulnerability during template rendering (HIGH) Affected versions: <= 1.4.2 Patched version: No patched versions	🚫
CVE	npm/luxon@3.0.4	CVE: GHSA-3xq5-wjfh-ppjc Luxon Inefficient Regular Expression Complexity vulnerability (HIGH) Affected versions: >= 3.0.0, < 3.2.1 Patched version: 3.2.1	🚫
Critical CVE	npm/chrome-launcher@0.11.2	CVE: GHSA-gp2j-mg4w-2rh5 chrome-launcher subject to OS Command Injection (CRITICAL) Affected versions: < 0.13.2 Patched version: 0.13.2	🚫

View full report↗︎

Next steps

What is a CVE?

Contains a high severity Common Vulnerability and Exposure (CVE).

Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

What is a critical CVE?

Contains a Critical Common Vulnerability and Exposure (CVE).

Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

@SocketSecurity ignore npm/sharp@0.30.7
@SocketSecurity ignore npm/jsonwebtoken@8.5.1
@SocketSecurity ignore npm/ws@6.2.2
@SocketSecurity ignore npm/dicer@0.3.0
@SocketSecurity ignore npm/ejs@2.7.4
@SocketSecurity ignore npm/lodash.set@4.3.2
@SocketSecurity ignore npm/ws@3.3.3
@SocketSecurity ignore npm/minimist@0.0.10
@SocketSecurity ignore npm/node-forge@0.10.0
@SocketSecurity ignore npm/minimist@0.0.8
@SocketSecurity ignore npm/mongoose@5.13.15
@SocketSecurity ignore npm/json5@1.0.1
@SocketSecurity ignore npm/vm2@3.9.11
@SocketSecurity ignore npm/crypto-js@3.3.0
@SocketSecurity ignore npm/underscore@1.7.0
@SocketSecurity ignore npm/socket.io-parser@3.3.2
@SocketSecurity ignore npm/socket.io-parser@3.4.1
@SocketSecurity ignore npm/dottie@2.0.2
@SocketSecurity ignore npm/json-bigint@0.3.1
@SocketSecurity ignore npm/chrome-launcher@0.10.7
@SocketSecurity ignore npm/ws@3.3.2
@SocketSecurity ignore npm/xmldom@0.1.19
@SocketSecurity ignore npm/uglify-js@2.4.24
@SocketSecurity ignore npm/sequelize@5.22.5
@SocketSecurity ignore npm/msgpackr@1.7.2
@SocketSecurity ignore npm/dicer@0.3.1
@SocketSecurity ignore npm/sqlite3@5.1.2
@SocketSecurity ignore npm/swig@1.4.2
@SocketSecurity ignore npm/luxon@3.0.4
@SocketSecurity ignore npm/chrome-launcher@0.11.2

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

refactor: merge turbopack crates into next.js #68127

refactor: merge turbopack crates into next.js #68127

Pull Request #68127 Alerts: Complete with warnings

Details

Next steps

Re-running checks...

refactor: merge turbopack crates into next.js #68127

chore: fix references for the new turbopack crates (#68128)

refactor: merge turbopack crates into next.js #68127

Pull Request #68127 Alerts: Complete with warnings

Details

Next steps

Re-running checks...