outdated @sentry/nextjs dependencies

[michal-bio]

are there any plans to update @sentry/nextjs dependencies?

@sentry/nextjs uses outdated dependencies. good example: [email protected] (released 1 year ago) and latest version is @8.4.31 [email protected] includes security vulnerabilities https://www.cve.org/CVERecord?id=CVE-2023-44270

there are other dependencies but this is just a good example.

[AbhiPrasad]

Hey @michal-bio.

If you are using security scanners for this, these are false positives. See

sentry-javascript/packages/nextjs/package.json

Lines 27 to 39 in 729e432

	"@rollup/plugin-commonjs": "24.0.0",
	"@sentry/core": "7.73.0",
	"@sentry/integrations": "7.73.0",
	"@sentry/node": "7.73.0",
	"@sentry/react": "7.73.0",
	"@sentry/types": "7.73.0",
	"@sentry/utils": "7.73.0",
	"@sentry/vercel-edge": "7.73.0",
	"@sentry/webpack-plugin": "1.20.0",
	"chalk": "3.0.0",
	"rollup": "2.78.0",
	"stacktrace-parser": "^0.1.10",
	"tslib": "^2.4.1 || ^1.9.3"

. For all the packages we directly depend on (and their deps), we've updated to prevent any security issues. The one's scanners are flagging are devDependencies, which we use for tests. So with postcss like you mentioned, it's there because we are using an older version of next for our unit tests.

If that is not the case, please open a GH issue with the specific dependency that is causing security issues. Thanks!

[AbhiPrasad]

There are no known security issues in 1.20.0 of @sentry/webpack-plugin. We are very actively thinking about the next major version, so we'll bump to 2.8.0 soon!

[michal-bio]

@AbhiPrasad thank you for your answer! you are right that postcss is there because of next@12. are you planning to update next?

[AbhiPrasad]

No because it's a devDependency, so should not show up in your final bundle.

[michal-bio]

despite the main purposes being for development, these dependencies can still introduce security risks, which can be audited through the package-lock.json and postcss and next@12 are listed there. good article: https://medium.com/swlh/but-its-just-a-dev-dependency-566646ebeec9

[AbhiPrasad]

I think we're not going to prioritize bumping devDependencies because there are more important bugs/features we need to get to - but PRs are welcome, we can merge in changes as long as they don't break our tests (we sometimes need to test against older versions even if they have security issues because we aim for maximum compatibility whenever possible).