Get help on Discord

Update on vulnerability in @sanity/desk-tool and @sanity/portable-text-editor

16 replies
Last updated: Jan 19, 2022
Our security team has found there is a vulnerability in the 
@sanity/desk-tool
. When I run 
yarn audit
you can see the issue. Is it possible to update the dependency of immer to 9.0.6? This is the critical vulnerabilities:
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ critical      │ Prototype Pollution in immer                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ immer                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=9.0.6                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @sanity/desk-tool                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @sanity/desk-tool > @sanity/form-builder >                   │
│               │ @sanity/portable-text-editor > slate > immer                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ <https://www.npmjs.com/advisories/1002492>                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ critical      │ Prototype Pollution in immer                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ immer                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=9.0.6                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ sanity-plugin-media                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ sanity-plugin-media > @reduxjs/toolkit > immer               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ <https://www.npmjs.com/advisories/1002492>                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
AI Update

I can help you with this security vulnerability issue. The @sanity/desk-tool package you're seeing is from Sanity Studio v2, which reached end-of-life on April 1st, 2024, and no longer receives security updates.

The Solution: Upgrade to Studio v3+

The immer vulnerability you're experiencing (immer 9.0.6 prototype pollution advisory 1002492) was resolved when Sanity migrated to Studio v3. In Studio v3 and later:

  • The package is now called @sanity/structure (previously @sanity/desk-tool)
  • The Portable Text Editor was completely rewritten and no longer uses Slate (which had the immer dependency)
  • These security vulnerabilities were eliminated in the process

Why You Can't Just Update immer

You can't simply update the immer dependency to 9.0.6 because:

  1. It's a transitive dependency (nested deep: @sanity/desk-tool > @sanity/form-builder > @sanity/portable-text-editor > slate > immer)
  2. The old Slate-based editor required specific immer versions
  3. Studio v2 is deprecated and won't receive patches for these vulnerabilities

Your Action Items

For the first vulnerability (via @sanity/desk-tool):

  • Upgrade to Studio v3 or later (currently v4 is available, requiring Node.js 20+)
  • The migration from v2 to v3 involves configuration changes but is well-documented in the Sanity docs

For the second vulnerability (via sanity-plugin-media):

  • Check if there's an updated version of sanity-plugin-media compatible with Studio v3
  • Consider migrating to a v3-compatible media plugin or evaluating the official Media Library (Enterprise addon) as a first-party alternative

If you absolutely cannot upgrade immediately, you could try using yarn resolutions to force immer to 9.0.6:

"resolutions": {
  "immer": "9.0.6"
}

However, this may break functionality and is not supported. The proper solution is upgrading to Studio v3 or v4, which removes these vulnerable dependencies entirely. Since Studio v2 is past its end-of-life date, continuing to use it poses ongoing security risks beyond just this immer vulnerability.

Thanks for reporting, Shawn. Looking into this now!
Hey Shawn, thanks for nudging here
Someone’s very kindly put in a PR to update this (which requires a bump in 
@reduxjs/toolkit
)
https://github.com/robinpyon/sanity-plugin-media/pull/54
This will need to be reviewed but should be merged shortly
user F
one of my developers also noted that the issue is in the portable-text-editor as well. This was his comments to me:
Open issue in the sanity project: 
https://github.com/sanity-io/sanity/issues/2484
the critical issue is in their 
portable-text-editor
 package and is due to the version of 
slate
 being outdated: https://github.com/sanity-io/sanity/blob/next/packages/%40sanity/portable-text-editor/package.json#L47 

slate
 published an update in version 
slate@0.66.0
 that fixes this vulnerability: https://github.com/ianstormtaylor/slate/releases?q=immer&amp;expanded=true
Just curious if there is any update on above security issues?
Hey
user B
– just wanted to say we haven’t forgotten about this! I’ll be able to look into this next week
subscribing for updates as we too have noticed this in the last few days, thanks for your support Sanity folks
could you pass on any firm timescales?
I can confirm that 
sanity-plugin-media
has since been patched (
1.4.4
) to address the above vulnerability. Thanks for your patience and for nudging here!
Re: 
@sanity/portable-text-editor
– I can’t provide much by the way of timescale here, except that it’s been addressed internally and will be dropping soon
thanks
user F
thank you!
user F
Any more of an update on the 
@sanity/portable-text-editor
to fix the critical vulnerability?
user B
Nothing which hasn’t already been said I’m afraid! It’s been addressed by the studio team (and requires a major dependency bump at that), but I can’t give a timeline here.
What I can confirm is that the immer vulnerability doesn’t affect the studio as it only affects server environments – but it is something that will be resolved soon. Thank you for your patience!
Thank you for the response!
user B
just FYI this was merged in yesterday which appears to resolve the security issues we're tracking

https://github.com/sanity-io/sanity/pull/3014
should hopefully see some non-vulnerable libraries being published soon
user B
just FYI this was merged in yesterday which appears to resolve the security issues we're tracking

https://github.com/sanity-io/sanity/pull/3014
should hopefully see some non-vulnerable libraries being published soon
fantastic! thanks.

Sanity – Build the way you think, not the way your CMS thinks

Sanity is the developer-first content operating system that gives you complete control. Schema-as-code, GROQ queries, and real-time APIs mean no more workarounds or waiting for deployments. Free to start, scale as you grow.

Get started for freeExplore the demo

Was this answer helpful?