[packages/core] upgrade nanoid to 3.3.8 (CVE-2024-55565)

[madebyfabian]

I got a dependabot security alert, that the @trigger.dev/sdk (via the /core package) npm package uses a nanoid version prior to 3.3.8, which has a vulnerability (see GHSA-mwcw-c2x4-8c55)

In my understanding, the core package (due to usage of the sdk package) is running in production code of users, so this incident seems valid.

If you feel this is not important, you can of course close this. Just wanted to bring this to attention :)

[CodeMan62]

Hi @madebyfabian ,

I noticed that the project is currently using nanoid version 5.0.6 (as seen in the coordinator package.json), which is well beyond the vulnerable version 3.3.8 mentioned in the CVE. The current version is secure and not affected by this vulnerability.

Additionally, I notice that the CVE date is showing as March 6, 2025, which appears to be incorrect.

Since the project is already using a secure version, I believe this issue can be closed. Thank you for keeping an eye on security concerns!

[madebyfabian]

Hi @CodeMan62 thanks for your comment! I noticed that the core package here still has https://github.com/triggerdotdev/trigger.dev/blob/main/packages/core/package.json#L191 3.3.4 that's why I was getting the alert I guess because the core package is being installed when installing the sdk. So I guess this is still relevant right?

[CodeMan62]

Hii @madebyfabian thanks for giving the confirmation let me create a PR to change this version thanks for pointing me