High severity Dependabot alert in the Gatsby dependency 'path-to-regexp'

[justinclift]

Preliminary Checks

• [X] This issue is not a duplicate. Before opening a new issue, please search existing issues: https://github.com/gatsbyjs/gatsby/issues
• [X] This issue is not a question, feature request, RFC, or anything other than a bug report directly related to Gatsby. Please post those things in GitHub Discussions: https://github.com/gatsbyjs/gatsby/discussions

Description

Gatsby presently has a requirement on path-to-regexp 0.1.7, which GitHub Dependabot has started issuing High severity security alerts for:

Hopefully a new point release of Gatsby 5.13.x can be created to resolve this problem. :smile:

Further info:

• https://github.com/pillarjs/path-to-regexp/releases/tag/v0.1.10 <- path-to-regexp 0.1.10 release
  • Note that there's actually a subsequent 0.1.11 release, so it might be better to jump to that instead?
• https://blakeembrey.com/posts/2024-09-web-redos/ <- Author of path-to-regexp
• https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS <- OWASP write up

Reproduction Link

n/a

Steps to Reproduce

n/a

Expected Result

To have a Gatsby release available without security vulnerabilities in its dependency chain. :smile:

Actual Result

Gatsby 5.13.7 presently uses dependencies with reported security vulnerabilities. :frowning:

Environment

n/a

Config Flags

n/a

[wraithgar]

body-parser also has a high severity alert associated with it.

The issue for webpack-dev-middleware has also been untriaged since April.

[justinclift]

Ugh, that's not a good sign. :frowning:

Thanks for the info @wraithgar. :smile:

[wraithgar]

Looks like dependabot PRs are flowing once again which is a good sign!

• body-parser: https://github.com/gatsbyjs/gatsby/pull/39097
• path-to-regexp: https://github.com/gatsbyjs/gatsby/pull/39096
• webpack-dev-middleware https://github.com/gatsbyjs/gatsby/pull/39106

[serhalp]

Hi @justinclift. Thanks for reporting. We're working through bumping outdated dependencies with security alerts as we speak! We should have a release out later this week.

[justinclift]

Awesome, thanks for the heads up @serhalp. :smile:

[justinclift]

No PR for webpack-dev-middleware yet.

Well spotted. :smile:

Yeah hopefully the upcoming release fixes all of the outstanding security dependencies. That seems to be a tricky ongoing process these days as larger projects commonly have an ocean of dependencies. :scream:

[kruplm]

Looks like dependabot PRs are flowing once again which is a good sign!

• body-parser: chore(deps): bump body-parser from 1.20.1 to 1.20.3 #39097
• path-to-regexp: chore(deps): bump path-to-regexp from 0.1.7 to 0.1.10 #39096
• webpack-dev-middleware chore(deps): bump webpack-dev-middleware from 4.3.0 to 5.3.4 #39106

Hi, 2 of 3 dependency updates are yet to be merged. When are you planning to release a new version that upgrades these dependencies?