Discussion of critical errors in npm audit report for @sanity/client@0.3.0

Hi everyoneSo I just casually run "npm audit report" and now there are critical errors showing up
My version of sanity client is @3.3.0 and the eventsource is @3.2.0

Can you have a look at your lockfile and find which dependency uses sanity/client@0.3.0? That seems awfully outdated.

I don

I don't use yarn.lock unfortunately

But I did run

npm ls @sanity/client

though.

What about package lock?

Alright lemme look

Essentially all 5 results point to the same thing

Mind you that this error pops up out of nowhere, and I first saw the error a few days ago.

Doing a little digging, and this initial dig is by no means a recommendation just quick tinkering. (any suggestions below if you choose to tinker as well should be strictly done in a non-production environment or fresh test project)• for auditing, as yarn is the default package manager currently (you can use npm if you’d like but it takes some extra steps) - instead of npm audit, try yarn audit (it also has a nice cli format)
• The eventsource
notice looks like it’s somewhat new. I’ll let the team know, and it may already be in queue to be updated. • the eventsource package being used is a couple deps deep in sanity core. I was able to install it and it appears to be updated in the project, but sanity core and sanity eventsource will need their relative versions updated to v2.02+ to meet the audit requirements. The eventsource message still appears after manually adding the newer version to the top level deps. How deps and deps of deps work in relation to the audit tools is a bit over my head.
I don’t know the impact or urgency here, but will post it to the team. If it is urgent, look for updates as soon as possible via

sanity versions

- thanks for the heads up!

((again, to be clear, my little test is to my best knowledge and I’ll leave it to the core studio team for a more formal detailed response if necessary))

Good to hear back from you Julia. Should I just promote my project to production anyway ?

small update: it’s a low to no risk warning as it is being used. But should still get worked into the next or following weekly release cycle or as soon as possible. Thanks again for the notice.

Backing up my previous messages after the long US holiday weekend. This is not a production concern for most use cases, but the security message has been noted by the team and getting attention now. I wouldn’t personally let this delay a pending deployment unless you’re under strict security adherence needs or extending studio eventsource or linking more than typical use cases. Keep checking releases here or

sanity versions

to keep your studio on the latest version for the next couple cycles. This small version bump may not make it explicitly into documented changes. Please, check back if this persists beyond the next couple weeks.