Update @prisma/sdk

Question

Update @prisma/sdk

Closed this issue a year ago · 4 comments

Can you update the @prisma/sdk dependency? These are the vulnerabilities I have been experiencing.

                       === npm audit security report ===


                                 Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance


  Moderate        undici before v5.8.0 vulnerable to CRLF injection in request
                  headers

  Package         undici

  Patched in      >=5.8.0

  Dependency of   prisma-kysely

  Path            prisma-kysely > @prisma/sdk > @prisma/engine-core > undici

  More info       https://github.com/advisories/GHSA-3cvr-822r-rqcc


  High            ProxyAgent vulnerable to MITM

  Package         undici

  Patched in      >=5.5.1

  Dependency of   prisma-kysely

  Path            prisma-kysely > @prisma/sdk > @prisma/engine-core > undici

  More info       https://github.com/advisories/GHSA-pgw7-wx7w-2w33


  Low             undici before v5.8.0 vulnerable to uncleared cookies on
                  cross-host / cross-origin redirect

  Package         undici

  Patched in      >=5.8.0

  Dependency of   prisma-kysely

  Path            prisma-kysely > @prisma/sdk > @prisma/engine-core > undici

  More info       https://github.com/advisories/GHSA-q768-x9m6-m9qp


  Moderate        Nodejs ‘undici’ vulnerable to CRLF Injection via
                  Content-Type

  Package         undici

  Patched in      >=5.8.2

  Dependency of   prisma-kysely

  Path            prisma-kysely > @prisma/sdk > @prisma/engine-core > undici

  More info       https://github.com/advisories/GHSA-f772-66g8-q5h3


  Moderate        `undici.request` vulnerable to SSRF using absolute URL on
                  `pathname`

  Package         undici

  Patched in      >=5.8.2

  Dependency of   prisma-kysely

  Path            prisma-kysely > @prisma/sdk > @prisma/engine-core > undici

  More info       https://github.com/advisories/GHSA-8qr4-xgw6-wmr3


  High            Regular Expression Denial of Service in Headers

  Package         undici

  Patched in      >=5.19.1

  Dependency of   prisma-kysely

  Path            prisma-kysely > @prisma/sdk > @prisma/engine-core > undici

  More info       https://github.com/advisories/GHSA-r6ch-mqf9-qc9w


  Moderate        CRLF Injection in Nodejs ‘undici’ via host

  Package         undici

  Patched in      >=5.19.1

  Dependency of   prisma-kysely

  Path            prisma-kysely > @prisma/sdk > @prisma/engine-core > undici

  More info       https://github.com/advisories/GHSA-5r9g-qh6m-jxff

Answer 1 · 2023-04-22T01:01:29.000Z

I have a PR open that updates the dependency that I'll likely merge it tomorrow. I'll let you know.

Answer 2 · 2023-04-22T11:57:52.000Z

This will be part of the next release. I'm aiming for later today or tomorrow.

Answer 3 · 2023-04-24T16:56:09.000Z

Just released the new version @DylanPetrey 😎

Answer 4 · 2023-04-25T15:33:19.000Z

That fixed it! Thanks!