NPM dependency vulnerability (moderate)—react-email >=3.0.4 depends on vulnerable versions of next

Question

NPM dependency vulnerability (moderate)—react-email >=3.0.4 depends on vulnerable versions of next

Closed this issue a day ago · 4 comments

Describe the Bug

Getting a dependency bug currently

**# npm audit report**

**next**  15.0.0 - 15.1.1
Severity: **moderate**
**Next.js Allows a Denial of Service (DoS) with Server Actions** - https://github.com/advisories/GHSA-7m27-7ghc-44w9
**fix available** via `npm audit fix`
node_modules/react-email/node_modules/next
  **react-email**  >=3.0.4
  Depends on vulnerable versions of next
  node_modules/react-email

Which package is affected (leave empty if unsure)

No response

Link to the code that reproduces this issue

npm i

To Reproduce

Install package with Next 15

Expected Behavior

No vulnerability warnings

What's your node version? (if relevant)

22.12.0

Answer 1 · 2025-01-06T17:19:59.000Z

(With npm 11.0.0)

Answer 2 · 2025-01-07T08:54:11.000Z

I was going to report the same thanks @danielgwilson!

It seems the affected CVE is the following: https://nvd.nist.gov/vuln/detail/CVE-2024-56332

Answer 3 · 2025-01-07T09:36:49.000Z

Look like we need this to pass and then release be5c48d.

Answer 4 · 2025-01-07T15:33:19.000Z

Just released a new stable version with this fixed! react-email@3.0.5.