This project uses [email protected] and [email protected].
package.json
"dependencies": {
"next": "^13",
"next-drupal": "^1.6.0",
}
The dependency next@13 has a vulnerability that is fixed in next@14.
So I fixed with npm install [email protected].
package.json
"dependencies": {
"next": "^14.2.3",
"next-drupal": "^1.6.0",
}
However, running npm audit fix shows that next-drupal also uses next@13 as a dependency inside its own node modules node_modules/next-drupal/node_modules/next.
$ npm audit fix
next >=13.4.0 <14.1.1
Severity: high
Next.js Server-Side Request Forgery in Server Actions - https://github.com/advisories/GHSA-fr5h-rqp8-mj6g
fix available via `npm audit fix`
node_modules/next-drupal/node_modules/next
Looking node_modules/next-drupal/node_modules/next inside package-lock.json I find the same next@13 that I need to update to 14.
package-lock.json
"node_modules/next-drupal/node_modules/next": {
"version": "13.5.6",
(more code)
}
What I pretend is to address the vulnerability of next@13 updating to 14. What is the correct way to achieve this?
From this next-drupal 1.6 npm package works with next 14, but has 13 as a dependency, triggering high vulnerability #759 I learned how to override the dependency of a dependency.
First, I had to add an override object in package.json.
"dependencies": {
"next": "^14.2.3",
"next-drupal": "^1.6.0",
...
},
"overrides": {
"next-drupal": {
"next": "$next"
}
}
Second, I had to delete node_modules and package-lock.json, before running npm install.
Finally, with npm list next I could verify that the module is overridden with the desired dependency.
├─┬ [email protected]
│ └── [email protected] deduped
├─┬ [email protected] overridden
│ └── [email protected] deduped
├─┬ [email protected]
│ └── [email protected] deduped
└── [email protected]