Unlock seamless workflows and faster delivery with our latest releases – get the details

Update on vulnerability in @sanity/desk-tool and @sanity/portable-text-editor

16 replies
Last updated: Jan 19, 2022
Our security team has found there is a vulnerability in the
@sanity/desk-tool
. When I run
yarn audit
you can see the issue. Is it possible to update the dependency of immer to 9.0.6? This is the critical vulnerabilities:
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ critical      │ Prototype Pollution in immer                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ immer                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=9.0.6                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @sanity/desk-tool                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @sanity/desk-tool > @sanity/form-builder >                   │
│               │ @sanity/portable-text-editor > slate > immer                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ <https://www.npmjs.com/advisories/1002492>                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ critical      │ Prototype Pollution in immer                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ immer                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=9.0.6                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ sanity-plugin-media                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ sanity-plugin-media > @reduxjs/toolkit > immer               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ <https://www.npmjs.com/advisories/1002492>                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
Oct 27, 2021, 10:03 PM
Thanks for reporting, Shawn. Looking into this now!
Oct 27, 2021, 10:07 PM
Hey Shawn, thanks for nudging here
Someone’s very kindly put in a PR to update this (which requires a bump in
@reduxjs/toolkit
)
https://github.com/robinpyon/sanity-plugin-media/pull/54
This will need to be reviewed but should be merged shortly
Oct 28, 2021, 12:09 AM
user F
one of my developers also noted that the issue is in the portable-text-editor as well. This was his comments to me:
Open issue in the sanity project: 
https://github.com/sanity-io/sanity/issues/2484
the critical issue is in their 
portable-text-editor
 package and is due to the version of 
slate
 being outdated: https://github.com/sanity-io/sanity/blob/next/packages/%40sanity/portable-text-editor/package.json#L47

slate
 published an update in version 
slate@0.66.0
 that fixes this vulnerability: https://github.com/ianstormtaylor/slate/releases?q=immer&amp;expanded=true
Oct 28, 2021, 2:21 PM
Just curious if there is any update on above security issues?
Nov 2, 2021, 7:25 PM
Hey
user B
– just wanted to say we haven’t forgotten about this! I’ll be able to look into this next week
Nov 4, 2021, 10:16 PM
subscribing for updates as we too have noticed this in the last few days, thanks for your support Sanity folks
Nov 10, 2021, 10:38 AM
could you pass on any firm timescales?
Nov 10, 2021, 10:56 AM
I can confirm that
sanity-plugin-media
has since been patched (
1.4.4
) to address the above vulnerability. Thanks for your patience and for nudging here!
Re:
@sanity/portable-text-editor
– I can’t provide much by the way of timescale here, except that it’s been addressed internally and will be dropping soon
Nov 14, 2021, 11:04 PM
thanks
user F
Nov 15, 2021, 8:05 AM
thank you!
Nov 15, 2021, 4:20 PM
user F
Any more of an update on the
@sanity/portable-text-editor
to fix the critical vulnerability?
Nov 30, 2021, 7:10 PM
user B
Nothing which hasn’t already been said I’m afraid! It’s been addressed by the studio team (and requires a major dependency bump at that), but I can’t give a timeline here.
What I can confirm is that the immer vulnerability doesn’t affect the studio as it only affects server environments – but it is something that will be resolved soon. Thank you for your patience!
Dec 1, 2021, 11:07 AM
Thank you for the response!
Dec 1, 2021, 5:03 PM
user B
just FYI this was merged in yesterday which appears to resolve the security issues we're tracking

https://github.com/sanity-io/sanity/pull/3014
should hopefully see some non-vulnerable libraries being published soon
Jan 19, 2022, 9:58 AM
user B
just FYI this was merged in yesterday which appears to resolve the security issues we're tracking

https://github.com/sanity-io/sanity/pull/3014
should hopefully see some non-vulnerable libraries being published soon
Jan 19, 2022, 9:58 AM
fantastic! thanks.
Jan 19, 2022, 3:47 PM

Sanity– build remarkable experiences at scale

Sanity is a modern headless CMS that treats content as data to power your digital business. Free to get started, and pay-as-you-go on all plans.

Was this answer helpful?