wxt
wxt copied to clipboard
wxt-dev
npm audit fails with wxt@>=0.20.6
Describe the bug
npm audit fails with wxt versions 0.20.6 or newer, due to fast-redact:
# npm audit report
fast-redact *
fast-redact vulnerable to prototype pollution - https://github.com/advisories/GHSA-ffrw-9mx8-89p8
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/fast-redact
pino 5.0.0-rc.1 - 9.11.0
Depends on vulnerable versions of fast-redact
node_modules/pino
web-ext-run >=0.2.3
Depends on vulnerable versions of pino
node_modules/web-ext-run
wxt >=0.20.6
Depends on vulnerable versions of web-ext-run
node_modules/wxt
4 low severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
It appears that web-ext-run should depend on pino >=9.12.0 to resolve this, as this was done in Mozilla's web-ext.
(pino abandoned fast-redact in 9.12.0)
Reproduction
use the following as your package.json:
{
"name": "foo",
"private": true,
"version": "0.0.0",
"devDependencies": {
"@wxt-dev/storage": "1.2.0",
"wxt": "^0.20.11"
}
}
Steps to reproduce
-
npm install -
npm audit
System Info
System:
OS: macOS 26.0.1
CPU: (16) arm64 Apple M4 Max
Memory: 3.23 GB / 64.00 GB
Shell: 5.9 - /bin/zsh
Binaries:
Node: 20.19.5 - /Users/borfig/.nvm/versions/node/v20.19.5/bin/node
npm: 10.8.2 - /Users/borfig/.nvm/versions/node/v20.19.5/bin/npm
Browsers:
Chrome: 141.0.7390.123
Firefox: 143.0.4
Safari: 26.0.1
npmPackages:
wxt: ^0.20.11 => 0.20.11
Used Package Manager
npm
Validations
- [x] Read the Contributing Guidelines.
- [x] Read the docs.
- [x] Check that there isn't already an issue that reports the same bug to avoid creating a duplicate.
- [x] Check that this is a concrete bug. For Q&A open a GitHub Discussion or join our Discord Chat Server.
- [x] The provided reproduction is a minimal reproducible example of the bug.
