I've just created a new Nextjs TS project using npx create-next-app@latest --ts (as per the documentation).

I keep receiving 3 high severity vulnerabilities, npm audit fix --force, makes it worse by adding around 24 high severity vulnerabilities.

Any way around this? should I be concerned that I might have installed a malicious package?

# npm audit report

node-fetch  <2.6.7
Severity: high
 ---> node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor - https://github.com/advisories/GHSA-r683-j2x4-v87g <---
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/node-fetch
  next  9.0.6-canary.0 - 9.3.4-canary.0 || 10.0.2-canary.0 - 12.0.8
  Depends on vulnerable versions of node-fetch
  node_modules/next
    eslint-config-next  >=10.2.1-canary.2
    Depends on vulnerable versions of next
    node_modules/eslint-config-next

firebasetest
├─┬ https://opencollective.com/eslint
│ │ └── [email protected]
│ ├── https://github.com/sponsors/epoberezkin
│ │   └── [email protected]
│ ├─┬ https://github.com/chalk/chalk?sponsor=1
│ │ │ └── [email protected]
│ │ └── https://github.com/chalk/ansi-styles?sponsor=1
│ │     └── [email protected]
│ ├── https://github.com/sponsors/sindresorhus
│ │   └── [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
│ ├── https://github.com/sponsors/mysticatea
│ │   └── [email protected], [email protected]
│ └── https://github.com/sponsors/isaacs
│     └── [email protected], [email protected]
├── https://opencollective.com/browserslist
│   └── [email protected], [email protected]
├── https://opencollective.com/postcss/
│   └── [email protected]
├── https://github.com/chalk/supports-color?sponsor=1
│   └── [email protected]
├── https://github.com/sponsors/feross
│   └── [email protected], [email protected], [email protected]
├── https://opencollective.com/babel
│   └── @babel/[email protected]
├── https://opencollective.com/typescript-eslint
│   └── @typescript-eslint/[email protected], @typescript-eslint/[email protected], @typescript-eslint/[email protected], @typescript-eslint/[email protected], @typescript-eslint/[email protected]
├── https://github.com/sponsors/ljharb
│   └── [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
└── https://opencollective.com/core-js
    └── [email protected]

CodePudding user response：

As the warning suggests,

node-fetch <2.6.7 Severity: high ---> node-fetch is vulnerable

Go to package-lock.json, check the version (mine was 2.6.1), google npm node-fetch package, check the most downloaded / stable version, edit the version number in your file, save and npm i.

0 Vulnerability.

CodePudding user response：

I fixed this by upgrading to next 12.0.9