30 vulnerabilities found 7 Moderate | 23 High

[goniti]

Hi, I'm new to gatsby,

I used the command : gatsby new contentful-starter-blog https://github.com/contentful/starter-gatsby-blog/

then with yarn audita warning warns of 30 vulnerabilities 7 moderate and 23 high. I tried to fix with yarn audit fix --force but also update each package manually but nothing changes.

I guess the problem comes directly from this repo? Is it here that the version upgrades to fix the problems should be done and not on my machine?

Or do I have to use a specific command other than yarn upgrade ?

[xahmol]

Any update on this? Have the same issue with meanwhile even much higher numbers: 136 vulnerabilities (4 low, 83 moderate, 36 high, 13 critical)

And that for a clean install and after trying npm audit fix and npm audit fix --force. This now does not seem in any way a valid basis to base a site on. Not exactly a great starting point as starter for somebody new to Gatsby / Contentful like me.

[denkristoffer]

Hi @goniti and @xahmol

Thanks for taking the time to write about your concerns here. These issues are from upstream packages, meaning they are related to code in dependencies of dependencies, in this case in packages from Gatsby itself. The good news here is that these are not really issues that are of any danger to you. Gatsby is a build tool that runs on your computer (or server), while the vulnerabilities are only of concern if the code was used on the client side. Unfortunately npm audit is not smart enough to be able to take such situations into account. If you are interested in more information about this, I can recommend reading this reply from the Gatsby team itself or this longer one from another build tool, create-react-app

In short, you don't need to worry about your websites being vulnerable, despite what npm says. I'll close this issue but feel free to continue the discussion if you'd like.