Summary
npm audit --omit=dev reports production dependency vulnerabilities, including high-severity Next.js advisories and a critical transitive protobufjs advisory.
Evidence
package.json:21 pins next to 16.1.6.npm audit --omit=dev --json reported 4 production vulnerability groups:
next — high; fix available: 16.2.6 without semver major.protobufjs — critical; transitive.postcss — moderate; transitive through Next.js.@protobufjs/utf8 — moderate; transitive.
- Full
npm audit including dev dependencies reported 26 vulnerability groups: 1 low, 12 moderate, 11 high, 2 critical.
Impact
The public app is exposed to known framework/runtime advisories, including multiple Next.js DoS, middleware/proxy bypass, cache poisoning, SSRF, and XSS-related advisories reported by npm audit for the installed version range.
Minimal Fix
- Upgrade
next from 16.1.6 to at least the fixed version reported by audit (16.2.6 at audit time).
- Re-run
npm audit --omit=dev and update transitive dependencies via lockfile refresh.
- Review whether
firebase-tools and other CLI-only packages need to remain in devDependencies; keep them out of production installs.
- Avoid
npm audit fix --force unless reviewed, because it may apply breaking changes.
Acceptance Criteria
npm audit --omit=dev reports 0 high/critical production vulnerabilities, or any remaining advisories are documented as non-exploitable in this app.npm run build still passes after dependency updates.npm run lint still runs and any new lint failures are addressed separately.
Summary
npm audit --omit=devreports production dependency vulnerabilities, including high-severity Next.js advisories and a critical transitiveprotobufjsadvisory.Evidence
package.json:21pinsnextto16.1.6.npm audit --omit=dev --jsonreported 4 production vulnerability groups:next— high; fix available:16.2.6without semver major.protobufjs— critical; transitive.postcss— moderate; transitive through Next.js.@protobufjs/utf8— moderate; transitive.npm auditincluding dev dependencies reported 26 vulnerability groups: 1 low, 12 moderate, 11 high, 2 critical.Impact
The public app is exposed to known framework/runtime advisories, including multiple Next.js DoS, middleware/proxy bypass, cache poisoning, SSRF, and XSS-related advisories reported by npm audit for the installed version range.
Minimal Fix
nextfrom16.1.6to at least the fixed version reported by audit (16.2.6at audit time).npm audit --omit=devand update transitive dependencies via lockfile refresh.firebase-toolsand other CLI-only packages need to remain indevDependencies; keep them out of production installs.npm audit fix --forceunless reviewed, because it may apply breaking changes.Acceptance Criteria
npm audit --omit=devreports 0 high/critical production vulnerabilities, or any remaining advisories are documented as non-exploitable in this app.npm run buildstill passes after dependency updates.npm run lintstill runs and any new lint failures are addressed separately.