search

leandroercoli / SaasterKit

A Next.js Boilerplate Kit designed to streamline the development process and accelerate the creation of modern web applications with pre-configured essential features.
97 stars 23 forks source link

Very interesting repro - any chance it will be maintained? ... as of now it has 4 vulnerabilities #4

Open avibathula opened 2 months ago

avibathula commented 2 months ago

Hi @leandroercoli - I am very excited to find your repo and I feel it has a lot of potential - do you plan to actively maintain it?

If yes ... here are two thoughts

  1. At the min It needs unit tests - even if it is just to validate that primary functionality is still working as you upgrade dependencies. For anyone wanting to embrace and leverage it in production with peace of mind, tests are essential.

  2. Not everyone needs all features - so one needs to be able to disable/enable just the features they need. For example, Saasterkit is currently forcing users to have a LemonSqueezy account but some of them may not want to put in payment systems until they find/reach PMF (Product Market Fit).

Looking forward to hearing back from you

Regards, -Avi

avibathula commented 2 months ago

As of now - just following your instructions 

$npm install

added 1070 packages, and audited 1071 packages in 9s

317 packages are looking for funding
  run `npm fund` for details

4 vulnerabilities (1 moderate, 3 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

and then running the suggested command is resulting in

$npm audit fix

changed 14 packages, and audited 1071 packages in 4s

317 packages are looking for funding
  run `npm fund` for details

# npm audit report

path-to-regexp  0.2.0 - 7.2.0
Severity: high
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
fix available via `npm audit fix --force`
Will install @clerk/nextjs@4.6.18, which is a breaking change
node_modules/path-to-regexp
  @clerk/nextjs  >=4.16.5-staging.0
  Depends on vulnerable versions of path-to-regexp
  node_modules/@clerk/nextjs

2 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

and running the suggested command again 

npm warn using --force Recommended protections disabled.
npm warn audit Updating @clerk/nextjs to 4.6.18, which is a SemVer major change.

added 10 packages, removed 1 package, changed 1 package, and audited 1080 packages in 4s

318 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

The command attempted to fix the vulnerabilities, including the high severity issue with path-to-regexp, by updating @clerk/nextjs to version 4.6.18. However, the update was a breaking change and from there it was a down hill of failures 👎 👎 👎 

1 of 1 error
Next.js (14.2.3) out of date (learn more)
Server Error
TypeError: (0 , _clerk_nextjs__WEBPACK_IMPORTED_MODULE_0__.authMiddleware) is not a function

This error happened while generating the page. Any console logs will be displayed in the terminal window.
Source
src/middleware.ts (6:1) @ <unknown>

  4 |
  5 | // Clerk auth middleware
> 6 | export default authMiddleware({
    | ^
  7 |     // Execute next-intl middleware before Clerk's auth middleware
  8 |     beforeAuth: (req) => {
  9 |         // Only execute the locale middleware if the request is for a page (not an API route)

NOTE: See "Next.js (14.2.3) out of date (learn more)" - I guess the repo needs some TLC and active maintenance 👍