search

Unleash / unleash-client-nextjs

Unleash SDK for Next.js
27 stars 8 forks source link

Security vulnerability - need to update unleash-client dependency #81

Closed mltsy closed 2 months ago

mltsy commented 2 months ago

Describe the bug

This is the vulnerability: https://github.com/advisories/GHSA-2p57-rm9w-gvfp

It was fixed in unleash-client-node 5.5.4: https://github.com/Unleash/unleash-client-node/pull/622

Steps to reproduce the bug

No response

Expected behavior

No response

Logs, error output, etc.

No response

Screenshots

No response

Additional context

No response

Unleash version

5.6.6

Subscription type

Open source

Hosting type

Self-hosted

SDK information (language and version)

unleash-client-nextjs@1.4.3 (and possibly other dependents of unleash-client-node?)

mltsy commented 2 months ago

Ah! This appears to be fixed in 1.4.4-beta.0 (although it's not noted in the tag description)

Tymek commented 2 months ago

We will ship new version today. I checked and this SDK doesn't use the vulnerable package, because it doesn't support "IP" and "Hostname" strategies.

Tymek commented 2 months ago

v1.4.4