Critical immer vulnerability in @sanity/desk-tool - update to 9.0.6?

16 repliesLast updated: Dec 1, 2025
Our security team has found there is a vulnerability in the 
@sanity/desk-tool
. When I run 
yarn audit
you can see the issue. Is it possible to update the dependency of immer to 9.0.6? This is the critical vulnerabilities:
┌───────────────┬──────────────────────────────────────────────────────────────┐
criticalPrototype Pollution in immer
├───────────────┼──────────────────────────────────────────────────────────────┤
Packageimmer
├───────────────┼──────────────────────────────────────────────────────────────┤
Patched in>=9.0.6
├───────────────┼──────────────────────────────────────────────────────────────┤
Dependency of │ @sanity/desk-tool
├───────────────┼──────────────────────────────────────────────────────────────┤
Path          │ @sanity/desk-tool > @sanity/form-builder >                   │
│               │ @sanity/portable-text-editor > slate > immer
├───────────────┼──────────────────────────────────────────────────────────────┤
More info<https://www.npmjs.com/advisories/1002492>                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
criticalPrototype Pollution in immer
├───────────────┼──────────────────────────────────────────────────────────────┤
Packageimmer
├───────────────┼──────────────────────────────────────────────────────────────┤
Patched in&gt;=9.0.6
├───────────────┼──────────────────────────────────────────────────────────────┤
Dependency ofsanity-plugin-media
├───────────────┼──────────────────────────────────────────────────────────────┤
Pathsanity-plugin-media &gt; @reduxjs/toolkit &gt; immer
├───────────────┼──────────────────────────────────────────────────────────────┤
More info<https://www.npmjs.com/advisories/1002492>                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
AI Update

I can help you with this security vulnerability issue. The @sanity/desk-tool package you're seeing is from Sanity Studio v2, which reached end-of-life on April 1st, 2024, and no longer receives security updates.

The Solution: Upgrade to Studio v3+

The immer vulnerability you're experiencing (immer 9.0.6 prototype pollution advisory 1002492) was resolved when Sanity migrated to Studio v3. In Studio v3 and later:

  • The package is now called @sanity/structure (previously @sanity/desk-tool)
  • The Portable Text Editor was completely rewritten and no longer uses Slate (which had the immer dependency)
  • These security vulnerabilities were eliminated in the process

Why You Can't Just Update immer

You can't simply update the immer dependency to 9.0.6 because:

  1. It's a transitive dependency (nested deep: @sanity/desk-tool > @sanity/form-builder > @sanity/portable-text-editor > slate > immer)
  2. The old Slate-based editor required specific immer versions
  3. Studio v2 is deprecated and won't receive patches for these vulnerabilities

Your Action Items

For the first vulnerability (via @sanity/desk-tool):

  • Upgrade to Studio v3 or later (currently v4 is available, requiring Node.js 20+)
  • The migration from v2 to v3 involves configuration changes but is well-documented in the Sanity docs

For the second vulnerability (via sanity-plugin-media):

  • Check if there's an updated version of sanity-plugin-media compatible with Studio v3
  • Consider migrating to a v3-compatible media plugin or evaluating the official Media Library (Enterprise addon) as a first-party alternative

If you absolutely cannot upgrade immediately, you could try using yarn resolutions to force immer to 9.0.6:

"resolutions": {
  "immer": "9.0.6"
}

However, this may break functionality and is not supported. The proper solution is upgrading to Studio v3 or v4, which removes these vulnerable dependencies entirely. Since Studio v2 is past its end-of-life date, continuing to use it poses ongoing security risks beyond just this immer vulnerability.

Show original thread
16 replies

Was this answer helpful?

Sanity – Build the way you think, not the way your CMS thinks

Sanity is the developer-first content operating system that gives you complete control. Schema-as-code, GROQ queries, and real-time APIs mean no more workarounds or waiting for deployments. Free to start, scale as you grow.

Get started for freeExplore the demo

Related answers

Get more help in the community Discord

Related contributions

Auto-generate alt text for Media Library assets

FeaturedOfficial

Automatically generate accessible, multilingual alt text for images in your Sanity Media Library using Agent Actions and Sanity Functions

Bram Doppen

Bram Doppen

First Published Timestamp Function

FeaturedOfficial

Automatically track when content was first published with a timestamp that sets once and never overwrites, providing reliable publication history for analytics and editorial workflows.

Knut Melvær

Knut Melvær

Automatically tag blog posts

FeaturedOfficial

AI-powered automatic tagging for Sanity blog posts that analyzes content to generate 3 relevant tags, maintaining consistency by reusing existing tags from your content library.

Ken Jones Pizza
Knut Melvær

Ken Jones Pizza and 1 other