Prototype Pollution vuln due to `unset-value` sub-dep < 2.0.1

[olozzalap]

Is there an existing issue for this?

• I have checked for existing issues https://github.com/getsentry/sentry-javascript/issues
• I have reviewed the documentation https://docs.sentry.io/
• I am using the latest SDK release https://github.com/getsentry/sentry-javascript/releases

How do you use Sentry?

Sentry Saas (sentry.io)

Which package are you using?

@sentry/nextjs

SDK Version

7.12.1

Framework Version

7.12.1

Link to Sentry event

No response

Steps to Reproduce

1. Install the latest "@sentry/nextjs": "7.12.1"
2. Validate with Snyk or similar security vulnerability tool
3. See affecting Prototype Pollution security vulnerability bug from "unset-value": "<2.0.1" sub-dep. It is part of @sentry/nextjs via: @sentry/nextjs@7.12.1 › jscodeshift@0.13.1 › micromatch@3.1.10 › braces@2.3.2 › snapdragon@0.8.2 › base@0.11.2 › cache-base@1.0.1 › unset-value@1.0.0

References:

• https://security.snyk.io/vuln/SNYK-JS-UNSETVALUE-2400660
• Nexus IQ server raising critical alerts for this package jonschlinkert/unset-value#11
• https://cwe.mitre.org/data/definitions/1321.html
• https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Expected Result

No security vulnerabilities from @sentry/nextjs

Actual Result

See affecting Prototype Pollution security vulnerability bug from "unset-value": "<2.0.1" sub-dep. It is part of @sentry/nextjs via: @sentry/nextjs@7.12.1 › jscodeshift@0.13.1 › micromatch@3.1.10 › braces@2.3.2 › snapdragon@0.8.2 › base@0.11.2 › cache-base@1.0.1 › unset-value@1.0.0

[AbhiPrasad]

jscodeshift was removed in #5713 - release coming soon.

important to note that all jscodeshift functionality was gated behind a experimental feature flag, and therefore was not used in anyway by default, therefore does not present any risk.

[AbhiPrasad]

Released with https://github.com/getsentry/sentry-javascript/releases/tag/7.13.0 - thanks for your patience!