JohnMilazzo
commented
6 years ago Just started seeing the same. Happens even with a simple "gatsby new xxxx".
Closed brandonkal closed 5 years ago
JohnMilazzo
commented
6 years ago Just started seeing the same. Happens even with a simple "gatsby new xxxx".
martinpsz
commented
6 years ago I have seen similar vulnerability errors when trying to install the styled components and the react-next plugins. What can be done to clear these vulnerabilities?
brandonkal
commented
6 years ago Looking at the info url for most of these vurnerabilities the dependencies need to update. Looks like most of them are caused by old versions of lodash, deep-extend, and mime. These issues probably existed for some time but are just surfacing now because npm aquired Lift Security.
m-allanson
commented
6 years ago What versions of npm are you using?
I've added a PR to fix the 'moderate' vulnerability. I'd love help updating other dependencies where possible.
Note that Gatsby v1 uses webpack v1, so it might not be possible to fix issues where Gatsby is relying on webpack v1 compatible dependencies. This will most likely apply to dependencies based on Babel, webpack and PostCSS.
A lot of these look like they'll need dependencies dependencies' to upgrade.
roachnt
commented
6 years ago I'm getting the same output along with one "Critical" vulnerability:
biskwikman
commented
6 years ago Same with me but I'm getting 3 criticals: Packages "open", "command-exists", and "macaddress".
Defite
commented
6 years ago 
Do we really need remote-redux-devtools? socketcluster-client dep in it is bit outdated (current version is 13, package.json has 5.3.1) and the worst is that lastest commit into remote-redux-devtools was in the last year :)
Smmaca
commented
6 years ago Any progress on this?
jeddy3
commented
6 years ago npm install gatsby@next (aka 2.0.0-beta.59) with npm@6.2.0 is down to one high vulnerability:
$ npm i gatsby@next
+ gatsby@2.0.0-beta.59
added 1474 packages from 992 contributors and audited 16096 packages in 60.533s
found 1 high severity vulnerability
$ npm audit
=== npm audit security report ===
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ws │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >= 1.1.5 <2.0.0 || >=3.3.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gatsby │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ gatsby > remote-redux-devtools > socketcluster-client > ws │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/550 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 high severity vulnerability in 16096 scanned packagesIt's in the aforementioned remote-redux-devtools package.
m-allanson
commented
6 years ago Resolving #6575 should remove this last high vulnerability.
franz-see
commented
6 years ago Like @roachnt I am getting Critical on "Command Injection" on gatsby > webpack-dev-server > open
huythieugia1996
commented
6 years ago === npm audit security report ===
Critical Command Injection
Package macaddress
Dependency of css-loader [dev]
Path css-loader > cssnano > postcss-filter-plugins > uniqid > macaddress More info https://nodesecurity.io/advisories/654
Critical Command Injection
Package macaddress
Dependency of cssnano [dev]
Path cssnano > postcss-filter-plugins > uniqid > macaddress
More info https://nodesecurity.io/advisories/654
Low Cryptographically Weak PRNG
Package randomatic
Dependency of http-proxy-middleware [dev]
Path http-proxy-middleware > micromatch > braces > expand-range > fill-range > randomatic
More info https://nodesecurity.io/advisories/157
gabroun
commented
5 years ago I am not sure if this is the right place to post about the vulnerabilities warning I found, but I am getting these moderate warnings from gatsby-plugin-sharp regarding tunnel-agency package as you can see below
sidharthachatterjee
commented
5 years ago Closing this since a new gatsby install now has no vulnerabilities after gatsby-plugin-sharp@2.0.16
After install I was warned by npm of many security issues. Here is what I am seeing These are all (except for a few) dependencies of gatsby