Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

4.0.0-beta.7 breaks grype scanning #1825

Closed
6 tasks done
WTPOptAxe opened this issue Nov 26, 2024 · 2 comments
Closed
6 tasks done

4.0.0-beta.7 breaks grype scanning #1825

WTPOptAxe opened this issue Nov 26, 2024 · 2 comments

Comments

@WTPOptAxe
Copy link

Checklist

Description

When upgrading from 3.5 to 4.0.0-beta.7, grype scanning breaks for auth0/nextjs-auth0 and next. Installed versions are misreported, and fixed versions are older than we have installed.

The incorrect output from the repro below is as follows

NAME                 INSTALLED                     FIXED-IN           TYPE  VULNERABILITY        SEVERITY
@auth0/nextjs-auth0  file:../..                    1.4.2              npm   GHSA-954c-jjx6-cxv7  High
@auth0/nextjs-auth0  file:../..                    1.6.2              npm   GHSA-2mqv-4j3r-vjvp  Medium
@eslint/plugin-kit   0.2.2                         0.2.3              npm   GHSA-7q7g-4xm8-89cq  Low
cross-spawn          7.0.3                         7.0.5              npm   GHSA-3xgq-45jj-v275  High
next                 file:../../node_modules/next  5.1.0              npm   GHSA-5vj8-3v2h-h38v  High
next                 file:../../node_modules/next  11.1.3             npm   GHSA-25mp-g6fv-mqxx  High
next                 file:../../node_modules/next  11.1.0             npm   GHSA-vxf5-wxwp-m7g9  Medium
next                 file:../../node_modules/next  9.3.2              npm   GHSA-fq77-7p7r-83rj  Medium
next                 file:../../node_modules/next  13.4.20-canary.13  npm   GHSA-c59h-r6p8-q9wc  Low

We expect this output to be

NAME                 INSTALLED                     FIXED-IN           TYPE  VULNERABILITY        SEVERITY
@eslint/plugin-kit   0.2.2                         0.2.3              npm   GHSA-7q7g-4xm8-89cq  Low
cross-spawn          7.0.3                         7.0.5              npm   GHSA-3xgq-45jj-v275  High

Reproduction

yarn create next-app grypetest --no-install
cd grypetest
corepack enable
yarn set version stable
yarn install
grype . # all good at this point
# add `"@auth0/nextjs-auth0": "^4.0.0-beta.7",` to package.json
yarn install
grype . # gives incorrect responses

Additional context

No response

nextjs-auth0 version

4.0.0-beta.7

Next.js version

15.0.3

Node.js version

v22.11.0
@guabu guabu mentioned this issue Dec 5, 2024
Merged
@guabu
Copy link

guabu commented Dec 5, 2024

Hey @WTPOptAxe 👋 Thanks for reporting this! We've included a fix in the upcoming release to exclude non-dist files which were triggering the errors reported.

@nandan-bhat
Copy link

This issue is fixed on 4.0.0-beta.10. Closing this ticket.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@WTPOptAxe @guabu @nandan-bhat