Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

npm audit: DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS #13758

Closed
3 tasks done
mozeryansky opened this issue Sep 24, 2024 · 2 comments · Fixed by #13761
Closed
3 tasks done

npm audit: DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS #13758

mozeryansky opened this issue Sep 24, 2024 · 2 comments · Fixed by #13761
Assignees
@chargome
Labels
Package: nextjs Issues related to the Sentry Nextjs SDK

Comments

@mozeryansky
Copy link

Is there an existing issue for this?

How do you use Sentry?

Sentry Saas (sentry.io)

Which SDK are you using?

@sentry/nextjs

SDK Version

8.31.0

Framework Version

No response

Link to Sentry event

No response

Reproduction Example/SDK Setup

When I run npm audit the suggestion is to download Sentry.

rollup  <3.29.5
Severity: high
DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS - https://github.com/advisories/GHSA-gcx4-mw62-g8wm
fix available via `npm audit fix --force`
Will install @sentry/nextjs@7.11.1, which is a breaking change
node_modules/rollup
  @sentry/nextjs  >=7.12.0
  Depends on vulnerable versions of rollup
  node_modules/@sentry/nextjs

Steps to Reproduce

  1. npm i @sentry/nextjs@latest
  2. npm audit

Expected Result

No security issues

Actual Result

Image
@getsantry getsantry bot moved this to Waiting for: Product Owner in GitHub Issues with 👀 3 Sep 24, 2024
@mozeryansky mozeryansky changed the title npm audti: DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS npm audit: DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS Sep 24, 2024
@github-actions github-actions bot added the Package: nextjs Issues related to the Sentry Nextjs SDK label Sep 24, 2024
@mozeryansky
Copy link
Author

mozeryansky commented Sep 24, 2024
edited
Loading

npm ls rollup reveals this:

└─┬ @sentry/nextjs@8.31.0
  ├─┬ @rollup/plugin-commonjs@26.0.1
  │ ├─┬ @rollup/pluginutils@5.1.2
  │ │ └── rollup@3.29.4 deduped
  │ └── rollup@3.29.4 deduped
  └── rollup@3.29.4

But "rollup" is a peer dependency in the plugins defined as: "rollup": "^2.68.0||^3.0.0||^4.0.0", so the fix should come from Sentry.

@chargome chargome self-assigned this Sep 24, 2024
@chargome chargome mentioned this issue Sep 24, 2024
Merged
@github-actions GitHub Actions
Copy link
Contributor

A PR closing this issue has just been released 🚀

This issue was closed by PR #13761, which was included in the 8.32.0 release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@chargome chargome

Labels
Package: nextjs Issues related to the Sentry Nextjs SDK
Projects
GitHub Issues with 👀 3
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore(nextjs): Bump rollup to 3.29.5 getsentry/sentry-javascript
2 participants
@mozeryansky @chargome