Depends on vulnerable versions of @sveltejs/kit... #37
Description
Describe the bug
npm audit of code using v4.5.1 (current as of this bug report) of sveltekit-adapter-aws reveals that it depends on @sveltejs/kit < 1.15.1, which has reported vulnerabilities.
To Reproduce
Steps to reproduce the behavior:
- In an existing project that uses sveltekit-adapter-aws v4.5.1, type
npm audit - Observe the report.
Expected behavior
No vulnerabilities associated with sveltekit-adapter-aws
Screenshots
$ npm audit
# npm audit report
@sveltejs/kit <1.15.1
Severity: high
SvelteKit vulnerable to Cross-Site Request Forgery - https://github.com/advisories/GHSA-5p75-vc5g-8rv2
No fix available
node_modules/@sveltejs/kit
node_modules/sveltekit-adapter-aws/node_modules/@sveltejs/kit
sveltekit-adapter-aws *
Depends on vulnerable versions of @sveltejs/kit
node_modules/sveltekit-adapter-aws
2 high severity vulnerabilities
Desktop (please complete the following information):
- OS:Linux (Manjaro, current rolling)
- Browser: Firefox
- Version: 111.0.1
Additional context
I am not sure if it's as serious as it seems, given the cited vulnerability involves CSRF which might not be applicable to this project, but it does make for a bit of noise when you're trying to keep things cleaned up, security-wise.