5 vulnerabilities showed up when I ran npm audit. This was the report

npm audit report

cookie <0.7.0
cookie accepts cookie name, path, and domain with out of bounds characters - GHSA-pxg6-pf52-xh8x
fix available via npm audit fix --force
Will install next-auth@3.29.10, which is a breaking change
node_modules/engine.io/node_modules/cookie
node_modules/next-auth/node_modules/cookie
engine.io 1.8.0 - 6.6.1
Depends on vulnerable versions of cookie
node_modules/engine.io
socket.io 1.6.0 - 4.7.5
Depends on vulnerable versions of engine.io
node_modules/socket.io
react-email 1.10.1-canary.0 - 1.10.1-canary.18 || >=1.10.2-canary.0
Depends on vulnerable versions of socket.io
node_modules/react-email
next-auth <=0.0.0-pr.11562.ed0fce23 || 4.0.0-beta.1 - 4.0.0-beta.7 || 4.0.1 - 4.24.8
Depends on vulnerable versions of cookie
node_modules/next-auth

5 low severity vulnerabilities

Waiting for next-auth (which we can override to bump up cookie) and react-email (engine.io + socket.io + cookie) to update their libs.

We'll check if we can override react-email as well in the meantime.