Vulnerability in inflight

[AndreyKovanov]

Is there an existing issue for this?

• I have checked for existing issues https://github.com/getsentry/sentry-javascript/issues
• I have reviewed the documentation https://docs.sentry.io/
• I am using the latest SDK release https://github.com/getsentry/sentry-javascript/releases

How do you use Sentry?

Sentry Saas (sentry.io)

Which SDK are you using?

@sentry/nextjs

SDK Version

8.9.2

Framework Version

No response

Link to Sentry event

No response

SDK Setup

No response

Steps to Reproduce

• Install the latest "@sentry/nextjs"
• Run npm ls inflight --omit=dev
• See @sentry/nextjs is dependant on inflight package

inflight package is deprecated and has the vulnerability
To fix the vulnerability need to update @rollup/plugin-commonjs package to version 26+

Expected Result

@sentry/next package doesn't depend on inflight package

Actual Result

@sentry/next package depends on inflight package

┬ @sentry/nextjs@8.9.2
└─┬ @rollup/plugin-commonjs@24.0.0
  └─┬ glob@8.1.0
    └── inflight@1.0.6

[AbhiPrasad]

Affected versions of this package are vulnerable to Missing Release of Resource after Effective Lifetime via the makeres function due to improperly deleting keys from the reqs object after execution of callbacks. This behavior causes the keys to remain in the reqs object, which leads to resource exhaustion.

@rollup/plugin-commonjs is not used by the server-side part of the SDK, it is a build tool, used during build time. Therefore this vulnerability does not apply to users of the Next.js SDK.

PRs are welcome if you would like to upgrade the @rollup/plugin-commonjs dep!

[AbhiPrasad]

Released with https://github.com/getsentry/sentry-javascript/releases/tag/8.10.0 - thanks for the PR @AndreyKovanov