High Severity NPM Warnings

[ezrover]

Preliminary Checks

• [X] This issue is not a duplicate. Before opening a new issue, please search existing issues: https://github.com/gatsbyjs/gatsby/issues
• [X] This issue is not a question, feature request, RFC, or anything other than a bug report directly related to Gatsby. Please post those things in GitHub Discussions: https://github.com/gatsbyjs/gatsby/discussions

Description

I am experiencing a number of high severity NPM warnings caused by:

npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated npm WARN deprecated querystring@0.2.1: The querystring API is considered Legacy. new code should use the URLSearchParams API instead. npm WARN deprecated react-load-script@0.0.6: abandoned and unmaintained npm WARN deprecated request@2.88.2: request has been deprecated, see request/request#3142 npm WARN deprecated svgo@1.3.2: This SVGO version is no longer supported. Upgrade to v2.x.x. npm WARN deprecated har-validator@5.1.5: this library is no longer supported npm WARN deprecated intl-messageformat-parser@1.8.1: We've written a new parser that's 6x faster and is backwards compatible. Please use @formatjs/icu-messageformat-parser npm WARN deprecated @hapi/topo@3.1.6: This version has been deprecated and is no longer supported or maintained npm WARN deprecated @hapi/bourne@1.3.2: This version has been deprecated and is no longer supported or maintained npm WARN deprecated @hapi/address@2.1.4: Moved to 'npm install @sideway/address' npm WARN deprecated @hapi/hoek@8.5.1: This version has been deprecated and is no longer supported or maintained npm WARN deprecated @hapi/joi@15.1.1: Switch to 'npm install joi' npm WARN deprecated uuid@3.3.2: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. npm WARN deprecated uuid: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details. npm WARN deprecated core-js@2.6.12: core-js@<3.4 is no longer maintained and not recommended for usage due to the number of issues.

Reproduction Link

https://gatsby.dev/reproduction

Steps to Reproduce

use gatsby 4.4 ...

Expected Result No High severity npm warnings are shown

Actual Result 52 vulnerabilities (18 moderate, 30 high, 4 critical)

To address issues that do not require attention, run: npm audit fix

Expected Result

No critical NPM warnings

Actual Result

Warnings displayed

Environment

./node_modules/.bin/gatsby info --clipboard                                                                                                                            ─╯

  System:
    OS: macOS 11.6.2
    CPU: (16) x64 Intel(R) Core(TM) i9-9980HK CPU @ 2.40GHz
    Shell: 5.8 - /bin/zsh
  Binaries:
    Node: 14.18.1 - ~/.nvm/versions/node/v14.18.1/bin/node
    npm: 8.1.4 - ~/.nvm/versions/node/v14.18.1/bin/npm
  Languages:
    Python: 2.7.16 - /usr/bin/python
  Browsers:
    Chrome: 96.0.4664.110
    Safari: 15.2
  npmPackages:
    gatsby: ^4.4.0 => 4.4.0
    gatsby-cli: ^4.4.0 => 4.4.0
    gatsby-image: ^3.11.0 => 3.11.0
    gatsby-plugin-catch-links: ^4.4.0 => 4.4.0
    gatsby-plugin-client-side-redirect: ^1.1.0 => 1.1.0
    gatsby-plugin-create-client-paths: ^4.4.0 => 4.4.0
    gatsby-plugin-google-tagmanager: ^4.4.0 => 4.4.0
    gatsby-plugin-manifest: ^4.4.0 => 4.4.0
    gatsby-plugin-material-ui: ^4.1.0 => 4.1.0
    gatsby-plugin-react-helmet: ^5.4.0 => 5.4.0
    gatsby-plugin-remove-serviceworker: ^1.0.0 => 1.0.0
    gatsby-plugin-robots-txt: ^1.6.14 => 1.6.14
    gatsby-plugin-s3: ^0.3.8 => 0.3.8
    gatsby-plugin-sass: ^5.4.0 => 5.4.0
    gatsby-plugin-sharp: ^4.4.0 => 4.4.0
    gatsby-plugin-sitemap: ^5.4.0 => 5.4.0
    gatsby-plugin-styled-components: ^5.4.0 => 5.4.0
    gatsby-source-drupal: ^5.4.0 => 5.4.0
    gatsby-source-filesystem: ^4.4.0 => 4.4.0
    gatsby-transformer-sharp: ^4.4.0 => 4.4.0

Config Flags

None

[LekoArts]

Hi, thanks for the issue!

While those audit messages might seem scary they are almost always irrelevant in the context of Gatsby as it's a build tool. So there is nothing to "fix" as the warning is not relevant.

Gatsby creates static assets and runs everything at build time and not during runtime. npm audit is designed for runtime / Node apps so it flags issues that can occur there. This means that almost every "vulnerability" report we receive are false positives. While in principle Gatsby can also have vulnerabilities you need to make sure that it's relevant to Gatsby before reporting it. For example a "Regex DDOS attack" can never be a real vulnerability for a development-time tool. If you want to override/update a transitive dependency you can use yarn resolutions.

You can also read npm audit: Broken by Design to learn more about this.

If you know that a vulnerability affects Gatsby because you understand what the vulnerability is, please report it here. Thanks!