Get help on Discord

Discussion of critical errors in npm audit report for @sanity/client@0.3.0

13 replies
Last updated: May 31, 2022
Hi everyoneSo I just casually run "npm audit report" and now there are critical errors showing up
My version of sanity client is @3.3.0 and the eventsource is @3.2.0
AI Update

I understand the concern! npm audit warnings can be alarming, but let me help you understand what's happening and how to fix it.

The Issue

You're using @sanity/client version 3.3.0, which is quite outdated (released in 2022). This version depends on eventsource 3.2.0, which has known security vulnerabilities that npm audit is flagging. The eventsource package is used for Server-Sent Events (SSE) functionality in the Sanity client.

The Solution: Upgrade @sanity/client

The best approach is to upgrade to the latest version of @sanity/client. The current version is v6.x, which has resolved these dependency vulnerabilities. Here's what to do:

npm install @sanity/client@latest

Or if you're using yarn:

yarn add @sanity/client@latest

Important Breaking Changes to Consider

Since you're jumping from v3.3.0 to v6.x, there are some breaking changes you'll need to handle:

  1. Import changes: The client now uses named exports

    // Old (v3)
import sanityClient from '@sanity/client'

// New (v6)
import {createClient} from '@sanity/client'

  2. Configuration: The API is largely the same, but check the Sanity changelog for any specific features you're using

  3. Node.js version: Make sure you're running Node.js 18 or higher

Why This Matters

While the eventsource vulnerability (CVE/GHSA issues) might not directly affect your application depending on whether you're using listener features, it's good practice to stay reasonably up-to-date with dependencies for security and compatibility reasons. The vulnerability in eventsource 3.2.0 has been addressed in newer versions that the latest @sanity/client uses.

After Upgrading

Run npm audit again to verify the critical vulnerabilities are resolved. You should see a much cleaner report.

If you're working on a large codebase and concerned about breaking changes, you can review what changed between versions by checking the official Sanity changelog or testing in a development branch first.

Can you have a look at your lockfile and find which dependency uses sanity/client@0.3.0? That seems awfully outdated.
I don
I don't use yarn.lock unfortunately
But I did run 
npm ls @sanity/client
though.
What about package lock?
Alright lemme look
Essentially all 5 results point to the same thing
Mind you that this error pops up out of nowhere, and I first saw the error a few days ago.
Doing a little digging, and this initial dig is by no means a recommendation just quick tinkering. (any suggestions below if you choose to tinker as well should be strictly done in a non-production environment or fresh test project)• for auditing, as yarn is the default package manager currently (you can use npm if you’d like but it takes some extra steps) - instead of npm audit, try yarn audit (it also has a nice cli format)
• The eventsource
notice looks like it’s somewhat new. I’ll let the team know, and it may already be in queue to be updated. • the eventsource package being used is a couple deps deep in sanity core. I was able to install it and it appears to be updated in the project, but sanity core and sanity eventsource will need their relative versions updated to v2.02+ to meet the audit requirements. The eventsource message still appears after manually adding the newer version to the top level deps. How deps and deps of deps work in relation to the audit tools is a bit over my head.
I don’t know the impact or urgency here, but will post it to the team. If it is urgent, look for updates as soon as possible via 
sanity versions
- thanks for the heads up!
((again, to be clear, my little test is to my best knowledge and I’ll leave it to the core studio team for a more formal detailed response if necessary))
Good to hear back from you Julia. Should I just promote my project to production anyway ?
small update: it’s a low to no risk warning as it is being used. But should still get worked into the next or following weekly release cycle or as soon as possible. Thanks again for the notice.
Backing up my previous messages after the long US holiday weekend. This is not a production concern for most use cases, but the security message has been noted by the team and getting attention now. I wouldn’t personally let this delay a pending deployment unless you’re under strict security adherence needs or extending studio eventsource or linking more than typical use cases. Keep checking releases here or 
sanity versions
to keep your studio on the latest version for the next couple cycles. This small version bump may not make it explicitly into documented changes. Please, check back if this persists beyond the next couple weeks.

Sanity – Build the way you think, not the way your CMS thinks

Sanity is the developer-first content operating system that gives you complete control. Schema-as-code, GROQ queries, and real-time APIs mean no more workarounds or waiting for deployments. Free to start, scale as you grow.

Get started for freeExplore the demo

Was this answer helpful?