🔮 Sanity Create is here. Writing is reinvented. Try now, no developer setup

Discussion of critical errors in npm audit report for @sanity/client@0.3.0

13 replies
Last updated: May 31, 2022
Hi everyoneSo I just casually run "npm audit report" and now there are critical errors showing up
My version of sanity client is @3.3.0 and the eventsource is @3.2.0
May 28, 2022, 7:30 AM
Can you have a look at your lockfile and find which dependency uses sanity/client@0.3.0? That seems awfully outdated.
May 28, 2022, 8:14 AM
I don
May 28, 2022, 12:40 PM
I don't use yarn.lock unfortunately
May 28, 2022, 12:41 PM
But I did run
npm ls @sanity/client
though.
May 28, 2022, 12:44 PM
What about package lock?
May 28, 2022, 12:44 PM
Alright lemme look
May 28, 2022, 12:44 PM
Essentially all 5 results point to the same thing
May 28, 2022, 12:46 PM
Mind you that this error pops up out of nowhere, and I first saw the error a few days ago.
May 28, 2022, 12:47 PM
Doing a little digging, and this initial dig is by no means a recommendation just quick tinkering. (any suggestions below if you choose to tinker as well should be strictly done in a non-production environment or fresh test project)• for auditing, as yarn is the default package manager currently (you can use npm if you’d like but it takes some extra steps) - instead of npm audit, try yarn audit (it also has a nice cli format)
• The eventsource
notice looks like it’s somewhat new. I’ll let the team know, and it may already be in queue to be updated. • the eventsource package being used is a couple deps deep in sanity core. I was able to install it and it appears to be updated in the project, but sanity core and sanity eventsource will need their relative versions updated to v2.02+ to meet the audit requirements. The eventsource message still appears after manually adding the newer version to the top level deps. How deps and deps of deps work in relation to the audit tools is a bit over my head.
I don’t know the impact or urgency here, but will post it to the team. If it is urgent, look for updates as soon as possible via
sanity versions
- thanks for the heads up!
May 28, 2022, 5:10 PM
((again, to be clear, my little test is to my best knowledge and I’ll leave it to the core studio team for a more formal detailed response if necessary))
May 28, 2022, 5:12 PM
Good to hear back from you Julia. Should I just promote my project to production anyway ?
May 29, 2022, 12:36 AM
small update: it’s a low to no risk warning as it is being used. But should still get worked into the next or following weekly release cycle or as soon as possible. Thanks again for the notice.
May 29, 2022, 12:40 AM
Backing up my previous messages after the long US holiday weekend. This is not a production concern for most use cases, but the security message has been noted by the team and getting attention now. I wouldn’t personally let this delay a pending deployment unless you’re under strict security adherence needs or extending studio eventsource or linking more than typical use cases. Keep checking releases here or
sanity versions
to keep your studio on the latest version for the next couple cycles. This small version bump may not make it explicitly into documented changes. Please, check back if this persists beyond the next couple weeks.
May 31, 2022, 8:39 PM

Sanity– build remarkable experiences at scale

Sanity is a modern headless CMS that treats content as data to power your digital business. Free to get started, and pay-as-you-go on all plans.

Was this answer helpful?