search

Ericsson / CodeCompass

CodeCompass is a software comprehension tool for large scale software written in C/C++ and Java
https://codecompass.net
GNU General Public License v3.0
496 stars 96 forks source link

Update Next.js to fix security issues #667

Closed wbqpk3 closed 3 months ago

wbqpk3 commented 7 months ago

See the OpenSSF security test (https://github.com/Ericsson/CodeCompass/issues/659).

{
      "details": [
        "Warn: Project is vulnerable to: GHSA-c59h-r6p8-q9wc",
        "Warn: Project is vulnerable to: GHSA-7fh5-64p2-3v2j",
        "Warn: Project is vulnerable to: GHSA-m95q-7qp3-xv42"
      ],
      "score": 7,
      "reason": "3 existing vulnerabilities detected",
      "name": "Vulnerabilities",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#vulnerabilities",
        "short": "Determines if the project has open, known unfixed vulnerabilities."
      }
    }
# npm audit report

next  0.9.9 - 13.5.4-canary.11
Severity: moderate
Next.js missing cache-control header may lead to CDN caching empty reply - https://github.com/advisories/GHSA-c59h-r6p8-q9wc
Depends on vulnerable versions of postcss
Depends on vulnerable versions of zod
fix available via `npm audit fix --force`
Will install next@13.5.6, which is outside the stated dependency range
node_modules/next

postcss  <8.4.31
Severity: moderate
PostCSS line return parsing error - https://github.com/advisories/GHSA-7fh5-64p2-3v2j
fix available via `npm audit fix --force`
Will install next@13.5.6, which is outside the stated dependency range
node_modules/postcss

zod  <=3.22.2
Zod denial of service vulnerability - https://github.com/advisories/GHSA-m95q-7qp3-xv42
fix available via `npm audit fix --force`
Will install next@13.5.6, which is outside the stated dependency range
node_modules/zod

3 vulnerabilities (1 low, 2 moderate)

To address all issues, run:
  npm audit fix --force
mcserep commented 7 months ago

This has also been reported by dependabot previously, see #640, #641 and #656.

We did not update Next.JS from 13.4 to 13.5, as there were ongoing issues with NextJS 13.5 and MUI compatibility (see https://github.com/vercel/next.js/issues/55663), which I did not want to resolve. See #635 for reference.

Since a month have passed, we can reevaluate this, hopefully they have resolved it since then.

LoremIPsummer commented 7 months ago

@mcserep Just looked into it. I've managed to reproduce the warning related error with version 13.5.1. Based on the issue on their repository, the current stable version 14.0.1 seems to be working properly, and besides some very easily resolvable breaking changes, I don't see a reason why we don't just upgrade to it.

mcserep commented 7 months ago

I don't see a reason why we don't just upgrade to it.

Simply because Next.JS 14 was released 2 weeks ago and the original issue is older than that. Next.JS 14 was simply not available at the time.

Now if it working, we can update to it, but we also have to consider the breaking changes, as this is a major version upgrade. I will write regarding that to your PR.