We forked this repo in our org and we have received two security alerts from Dependabot:
PR #230 accidentally added "ncc": "^0.3.6" to dependencies in package.json. This is node-chrome-canvas, an unrelated package — not @vercel/ncc (which is already correctly listed in devDependencies).
This bogus dependency pulls in ws@2.3.1, which has multiple known vulnerabilities:
- GHSA-3648-7jhf-9vrq — DoS when handling a request with many HTTP headers (high)
- CVE-2024-37890 — Denial of Service in ws (high)
The fix is simply removing "ncc": "^0.3.6" from dependencies and running npm install to regenerate the lock file. @vercel/ncc in devDependencies is the correct build tool and is unaffected.
We forked this repo in our org and we have received two security alerts from Dependabot:
PR #230 accidentally added "ncc": "^0.3.6" to dependencies in package.json. This is node-chrome-canvas, an unrelated package — not @vercel/ncc (which is already correctly listed in devDependencies).
This bogus dependency pulls in ws@2.3.1, which has multiple known vulnerabilities:
The fix is simply removing "ncc": "^0.3.6" from dependencies and running npm install to regenerate the lock file. @vercel/ncc in devDependencies is the correct build tool and is unaffected.