Summary
npm audit on vercel-plugin@0.42.1 (and 0.40.1) reports two high-severity advisories in undici@7.22.0, pulled in transitively via @vercel/sandbox@1.8.0:
vercel-plugin@0.42.1
└─┬ @vercel/sandbox@1.8.0
└── undici@7.22.0
Advisories:
Each has a fixed version available; npm audit fix resolves all three without breaking changes.
Reproduction
cd ~/.claude/plugins/cache/claude-plugins-official/vercel/0.42.1
npm i --package-lock-only --ignore-scripts
npm audit
2 high severity vulnerabilities
fix available via `npm audit fix`
Suggested fix
Bump @vercel/sandbox to a release that pulls a patched undici, or add an overrides entry in the plugin's package.json to pin undici to the fixed version.
Impact
Practical risk is low for typical plugin use (calls go to Vercel's own APIs, not arbitrary URLs), but npm audit flags it on every install of the plugin, which is noisy for users running supply-chain hygiene tools.
Reported via Claude Code while auditing installed plugins for compromised packages — signatures all verified clean, no compromise indicators, just these known CVEs.
Summary
npm auditonvercel-plugin@0.42.1(and0.40.1) reports two high-severity advisories inundici@7.22.0, pulled in transitively via@vercel/sandbox@1.8.0:Advisories:
upgradeoption (high)DeduplicationHandler→ DoS (high)server_max_window_bits(moderate)Each has a fixed version available;
npm audit fixresolves all three without breaking changes.Reproduction
Suggested fix
Bump
@vercel/sandboxto a release that pulls a patchedundici, or add anoverridesentry in the plugin'spackage.jsonto pin undici to the fixed version.Impact
Practical risk is low for typical plugin use (calls go to Vercel's own APIs, not arbitrary URLs), but
npm auditflags it on every install of the plugin, which is noisy for users running supply-chain hygiene tools.Reported via Claude Code while auditing installed plugins for compromised packages — signatures all verified clean, no compromise indicators, just these known CVEs.