Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

It seems that version 12.0.1 is showing a lot of warnings and some high severity vulnerabilities #30403

Closed
franklinjavier opened this issue Oct 27, 2021 · 9 comments
Closed

It seems that version 12.0.1 is showing a lot of warnings and some high severity vulnerabilities #30403

franklinjavier opened this issue Oct 27, 2021 · 9 comments
Labels
bug Issue was opened via the bug report template.

Comments

@franklinjavier
Copy link

franklinjavier commented Oct 27, 2021
edited

What version of Next.js are you using?

12.0.1

What version of Node.js are you using?

16.11.1

What browser are you using?

Chrome

What operating system are you using?

macOS

How are you deploying your application?

next start, next export

Describe the Bug

Hi guys, It seems that version 12.0.1 is showing a lot of warnings, as you can see here, and 17 high severity vulnerabilities

Expected Behavior

Same as 12.0.0

To Reproduce

▲  rm -rf package-lock.json node_module
▲  npm i next@12.0.1
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: react-server-dom-webpack@0.0.0-experimental-3c4c1c470-20211021
npm WARN Found: react@17.0.2
npm WARN node_modules/react
npm WARN   react@"^17.0.2" from the root project
npm WARN   99 more (@grupoboticario/flora-react, ...)
npm WARN
npm WARN Could not resolve dependency:
npm WARN peer react@"0.0.0-experimental-3c4c1c470-20211021" from react-server-dom-webpack@0.0.0-experimental-3c4c1c470-20211021
npm WARN node_modules/react-server-dom-webpack
npm WARN   react-server-dom-webpack@"0.0.0-experimental-3c4c1c470-20211021" from next@12.0.1
npm WARN   node_modules/next
npm WARN
npm WARN Conflicting peer dependency: react@0.0.0-experimental-3c4c1c470-20211021
npm WARN node_modules/react
npm WARN   peer react@"0.0.0-experimental-3c4c1c470-20211021" from react-server-dom-webpack@0.0.0-experimental-3c4c1c470-20211021
npm WARN   node_modules/react-server-dom-webpack
npm WARN     react-server-dom-webpack@"0.0.0-experimental-3c4c1c470-20211021" from next@12.0.1
npm WARN     node_modules/next
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: react-server-dom-webpack@0.0.0-experimental-3c4c1c470-20211021
npm WARN Found: react-dom@17.0.2
npm WARN node_modules/react-dom
npm WARN   react-dom@"^17.0.2" from the root project
npm WARN   12 more (@radix-ui/react-announce, @radix-ui/react-dialog, ...)
npm WARN
npm WARN Could not resolve dependency:
npm WARN peer react-dom@"0.0.0-experimental-3c4c1c470-20211021" from react-server-dom-webpack@0.0.0-experimental-3c4c1c470-20211021
npm WARN node_modules/react-server-dom-webpack
npm WARN   react-server-dom-webpack@"0.0.0-experimental-3c4c1c470-20211021" from next@12.0.1
npm WARN   node_modules/next
npm WARN
npm WARN Conflicting peer dependency: react-dom@0.0.0-experimental-3c4c1c470-20211021
npm WARN node_modules/react-dom
npm WARN   peer react-dom@"0.0.0-experimental-3c4c1c470-20211021" from react-server-dom-webpack@0.0.0-experimental-3c4c1c470-20211021
npm WARN   node_modules/react-server-dom-webpack
npm WARN     react-server-dom-webpack@"0.0.0-experimental-3c4c1c470-20211021" from next@12.0.1
npm WARN     node_modules/next
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated fsevents@1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
npm WARN deprecated chokidar@2.1.8: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.

> template-nextjs@0.0.1 prepare
> husky install

husky - Git hooks installed

added 292 packages, changed 6 packages, and audited 1486 packages in 24s

123 packages are looking for funding
  run `npm fund` for details

17 high severity vulnerabilities

To address all issues, run:
  npm audit fix

Run `npm audit` for details.
▲  npm ls webpack
template-nextjs@0.0.1 /Users/franklinjavier/Projects/github/template-nextjs
└─┬ next@12.0.1
  ├─┬ @next/react-dev-overlay@12.0.1
  │ └─┬ webpack@4.46.0
  │   └─┬ terser-webpack-plugin@1.4.5
  │     └── webpack@4.46.0 deduped
  ├─┬ @next/react-refresh-utils@12.0.1
  │ └── webpack@4.46.0 deduped
  └─┬ react-server-dom-webpack@0.0.0-experimental-3c4c1c470-20211021
    └── webpack@4.46.0 deduped

12.0.0

▲  rm -rf package-lock.json node_module
▲  npm i next@12.0.0

> template-nextjs@0.0.1 prepare
> husky install

husky - Git hooks installed

removed 292 packages, changed 6 packages, and audited 1194 packages in 8s

122 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities
@franklinjavier franklinjavier added the bug Issue was opened via the bug report template. label Oct 27, 2021
@JonShort
Copy link

Seems to be caused by the new dependency on react-server-dom-webpack@0.0.0-experimental-3c4c1c470-20211021, since that brings in webpack 4.x.x

image

@tejasness
Copy link

I have the same issue on node version 16.13.0

@stshort
Copy link

stshort commented Oct 27, 2021

Also confirmed I'm having the same issue on 12.0.1, will hold off on 12.0.1 until this is resolved. Thought it was due to other packages but yeah it definitely seems to be due to the dependency on react-server-dom-webpack@0.0.0-experimental-3c4c1c470-20211021 that seems to be erroneously included.

@Talendar
Copy link

Same here.

@rtritto
Copy link

rtritto commented Oct 27, 2021

Similar issue: #30481

@imranbarbhuiya
Copy link
Contributor

same here

# npm audit report

glob-parent  <5.1.2
Severity: high
Regular expression denial of service - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix`
node_modules/watchpack-chokidar2/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of braces
  Depends on vulnerable versions of glob-parent
  Depends on vulnerable versions of readdirp
  node_modules/watchpack-chokidar2/node_modules/chokidar
    watchpack-chokidar2  *
    Depends on vulnerable versions of chokidar
    node_modules/watchpack-chokidar2
      watchpack  1.7.2 - 1.7.5
      Depends on vulnerable versions of watchpack-chokidar2
      node_modules/webpack/node_modules/watchpack
        webpack  4.0.0-alpha.0 - 5.0.0-rc.6
        Depends on vulnerable versions of micromatch
        Depends on vulnerable versions of watchpack
        node_modules/webpack

set-value  <4.0.1
Severity: high
Prototype Pollution in set-value - https://github.com/advisories/GHSA-4jqc-8m5r-9rpr
fix available via `npm audit fix`
node_modules/set-value
  cache-base  >=0.7.0
  Depends on vulnerable versions of set-value
  Depends on vulnerable versions of union-value
  node_modules/cache-base
    base  >=0.7.0
    Depends on vulnerable versions of cache-base
    node_modules/base
      snapdragon  0.6.0 - 0.10.1
      Depends on vulnerable versions of base
      node_modules/snapdragon
        braces  2.0.0 - 2.3.2
        Depends on vulnerable versions of snapdragon
        node_modules/micromatch/node_modules/braces
        node_modules/watchpack-chokidar2/node_modules/braces
          chokidar  1.0.0-rc1 - 2.1.8
          Depends on vulnerable versions of braces
          Depends on vulnerable versions of glob-parent
          Depends on vulnerable versions of readdirp
          node_modules/watchpack-chokidar2/node_modules/chokidar
            watchpack-chokidar2  *
            Depends on vulnerable versions of chokidar
            node_modules/watchpack-chokidar2
              watchpack  1.7.2 - 1.7.5
              Depends on vulnerable versions of watchpack-chokidar2
              node_modules/webpack/node_modules/watchpack
                webpack  4.0.0-alpha.0 - 5.0.0-rc.6
                Depends on vulnerable versions of micromatch
                Depends on vulnerable versions of watchpack
                node_modules/webpack
        expand-brackets  1.0.0 - 2.1.4
        Depends on vulnerable versions of snapdragon
        node_modules/expand-brackets
        extglob  1.0.0 - 2.0.4
        Depends on vulnerable versions of snapdragon
        node_modules/extglob
        micromatch  3.0.0 - 3.1.10
        Depends on vulnerable versions of snapdragon
        node_modules/micromatch
          anymatch  2.0.0
          Depends on vulnerable versions of micromatch
          node_modules/watchpack-chokidar2/node_modules/anymatch
          readdirp  2.2.0 - 2.2.1
          Depends on vulnerable versions of micromatch
          node_modules/watchpack-chokidar2/node_modules/readdirp
        nanomatch  >=0.1.1
        Depends on vulnerable versions of snapdragon
        node_modules/nanomatch
  union-value  *
  Depends on vulnerable versions of set-value
  node_modules/union-value

17 high severity vulnerabilities

To address all issues, run:
  npm audit fix
PS C:\Web Dev\next> npm audit fix
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: react-server-dom-webpack@0.0.0-experimental-3c4c1c470-20211021
npm WARN Found: react@17.0.2
npm WARN node_modules/react
npm WARN   react@"17.0.2" from the root project
npm WARN   5 more (@next/react-dev-overlay, next, react-dom, styled-jsx, use-subscription)
npm WARN
npm WARN Could not resolve dependency:
npm WARN peer react@"0.0.0-experimental-3c4c1c470-20211021" from react-server-dom-webpack@0.0.0-experimental-3c4c1c470-20211021 
npm WARN node_modules/react-server-dom-webpack
npm WARN   react-server-dom-webpack@"0.0.0-experimental-3c4c1c470-20211021" from next@12.0.1
npm WARN   node_modules/next
npm WARN
npm WARN Conflicting peer dependency: react@0.0.0-experimental-3c4c1c470-20211021
npm WARN node_modules/react
npm WARN   peer react@"0.0.0-experimental-3c4c1c470-20211021" from react-server-dom-webpack@0.0.0-experimental-3c4c1c470-20211021
npm WARN   node_modules/react-server-dom-webpack
npm WARN     react-server-dom-webpack@"0.0.0-experimental-3c4c1c470-20211021" from next@12.0.1
npm WARN     node_modules/next
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: react-server-dom-webpack@0.0.0-experimental-3c4c1c470-20211021
npm WARN Found: react-dom@17.0.2
npm WARN node_modules/react-dom
npm WARN   react-dom@"17.0.2" from the root project
npm WARN   2 more (@next/react-dev-overlay, next)
npm WARN
npm WARN Could not resolve dependency:
npm WARN peer react-dom@"0.0.0-experimental-3c4c1c470-20211021" from react-server-dom-webpack@0.0.0-experimental-3c4c1c470-20211021
npm WARN node_modules/react-server-dom-webpack
npm WARN   react-server-dom-webpack@"0.0.0-experimental-3c4c1c470-20211021" from next@12.0.1
npm WARN   node_modules/next
npm WARN
npm WARN Conflicting peer dependency: react-dom@0.0.0-experimental-3c4c1c470-20211021
npm WARN node_modules/react-dom
npm WARN   peer react-dom@"0.0.0-experimental-3c4c1c470-20211021" from react-server-dom-webpack@0.0.0-experimental-3c4c1c470-20211021
npm WARN   node_modules/react-server-dom-webpack
npm WARN     react-server-dom-webpack@"0.0.0-experimental-3c4c1c470-20211021" from next@12.0.1
npm WARN     node_modules/next

up to date, audited 785 packages in 4s

86 packages are looking for funding
  run `npm fund` for details

# npm audit report

glob-parent  <5.1.2
Severity: high
Regular expression denial of service - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix`
node_modules/watchpack-chokidar2/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of braces
  Depends on vulnerable versions of glob-parent
  Depends on vulnerable versions of readdirp
  node_modules/watchpack-chokidar2/node_modules/chokidar
    watchpack-chokidar2  *
    Depends on vulnerable versions of chokidar
    node_modules/watchpack-chokidar2
      watchpack  1.7.2 - 1.7.5
      Depends on vulnerable versions of watchpack-chokidar2
      node_modules/webpack/node_modules/watchpack
        webpack  4.0.0-alpha.0 - 5.0.0-rc.6
        Depends on vulnerable versions of micromatch
        Depends on vulnerable versions of watchpack
        node_modules/webpack

set-value  <4.0.1
Severity: high
Prototype Pollution in set-value - https://github.com/advisories/GHSA-4jqc-8m5r-9rpr
fix available via `npm audit fix`
node_modules/set-value
  cache-base  >=0.7.0
  Depends on vulnerable versions of set-value
  Depends on vulnerable versions of union-value
  node_modules/cache-base
    base  >=0.7.0
    Depends on vulnerable versions of cache-base
    node_modules/base
      snapdragon  0.6.0 - 0.10.1
      Depends on vulnerable versions of base
      node_modules/snapdragon
        braces  2.0.0 - 2.3.2
        Depends on vulnerable versions of snapdragon
        node_modules/micromatch/node_modules/braces
        node_modules/watchpack-chokidar2/node_modules/braces
          chokidar  1.0.0-rc1 - 2.1.8
          Depends on vulnerable versions of braces
          Depends on vulnerable versions of glob-parent
          Depends on vulnerable versions of readdirp
          node_modules/watchpack-chokidar2/node_modules/chokidar
            watchpack-chokidar2  *
        nanomatch  >=0.1.1
        Depends on vulnerable versions of snapdragon
        node_modules/nanomatch
  union-value  *
  Depends on vulnerable versions of set-value
  node_modules/union-value

17 high severity vulnerabilities

To address all issues, run:
  npm audit fix

@rtritto
Copy link

rtritto commented Oct 29, 2021

Fixed on #30505.
@franklinjavier you can try with a canary version (>= 12.0.2-canary.4) of next.js.
So this issue can be closed.

@timneutkens
Copy link
Member

Fixed on #30505 indeed 👍

Roboe added a commit to Roboe/kobo-offline that referenced this issue Oct 31, 2021
@Roboe
Upgrade next from 11.1.0 to 12.0.0
f3d6f81 
Skipping 12.0.1 because of conflicting dependencies: vercel/next.js#30403
@balazsorban44
Copy link
Member

This issue has been automatically locked due to no recent activity. If you are running into a similar issue, please create a new issue with the steps to reproduce. Thank you.

@vercel vercel locked as resolved and limited conversation to collaborators Jan 27, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Issue was opened via the bug report template.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@franklinjavier @stshort @timneutkens @balazsorban44 @JonShort @tejasness @rtritto @Talendar @imranbarbhuiya