Closed AndreyKovanov closed 1 month ago
Affected versions of this package are vulnerable to Missing Release of Resource after Effective Lifetime via the makeres function due to improperly deleting keys from the reqs object after execution of callbacks. This behavior causes the keys to remain in the reqs object, which leads to resource exhaustion.
@rollup/plugin-commonjs
is not used by the server-side part of the SDK, it is a build tool, used during build time. Therefore this vulnerability does not apply to users of the Next.js SDK.
PRs are welcome if you would like to upgrade the @rollup/plugin-commonjs
dep!
Released with https://github.com/getsentry/sentry-javascript/releases/tag/8.10.0 - thanks for the PR @AndreyKovanov
Is there an existing issue for this?
How do you use Sentry?
Sentry Saas (sentry.io)
Which SDK are you using?
@sentry/nextjs
SDK Version
8.9.2
Framework Version
No response
Link to Sentry event
No response
SDK Setup
No response
Steps to Reproduce
npm ls inflight --omit=dev
@sentry/nextjs
is dependant oninflight
packageinflight
package is deprecated and has the vulnerability To fix the vulnerability need to update@rollup/plugin-commonjs
package to version 26+Expected Result
@sentry/next
package doesn't depend oninflight
packageActual Result
@sentry/next
package depends oninflight
package