Closed brandonkal closed 5 years ago
Just started seeing the same. Happens even with a simple "gatsby new xxxx".
I have seen similar vulnerability errors when trying to install the styled components and the react-next plugins. What can be done to clear these vulnerabilities?
Looking at the info url for most of these vurnerabilities the dependencies need to update. Looks like most of them are caused by old versions of lodash, deep-extend, and mime. These issues probably existed for some time but are just surfacing now because npm aquired Lift Security.
What versions of npm are you using?
I've added a PR to fix the 'moderate' vulnerability. I'd love help updating other dependencies where possible.
Note that Gatsby v1 uses webpack v1, so it might not be possible to fix issues where Gatsby is relying on webpack v1 compatible dependencies. This will most likely apply to dependencies based on Babel, webpack and PostCSS.
A lot of these look like they'll need dependencies dependencies' to upgrade.
I'm getting the same output along with one "Critical" vulnerability:
Same with me but I'm getting 3 criticals: Packages "open", "command-exists", and "macaddress".
Do we really need remote-redux-devtools? socketcluster-client dep in it is bit outdated (current version is 13, package.json has 5.3.1) and the worst is that lastest commit into remote-redux-devtools was in the last year :)
Any progress on this?
npm install gatsby@next
(aka 2.0.0-beta.59
) with npm@6.2.0
is down to one high vulnerability:
$ npm i gatsby@next
+ gatsby@2.0.0-beta.59
added 1474 packages from 992 contributors and audited 16096 packages in 60.533s
found 1 high severity vulnerability
$ npm audit
=== npm audit security report ===
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ws │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >= 1.1.5 <2.0.0 || >=3.3.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gatsby │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ gatsby > remote-redux-devtools > socketcluster-client > ws │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/550 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 high severity vulnerability in 16096 scanned packages
It's in the aforementioned remote-redux-devtools
package.
Resolving #6575 should remove this last high vulnerability.
Like @roachnt I am getting Critical on "Command Injection" on gatsby > webpack-dev-server > open
=== npm audit security report ===
Critical Command Injection
Package macaddress
Dependency of css-loader [dev]
Path css-loader > cssnano > postcss-filter-plugins > uniqid > macaddress More info https://nodesecurity.io/advisories/654
Critical Command Injection
Package macaddress
Dependency of cssnano [dev]
Path cssnano > postcss-filter-plugins > uniqid > macaddress
More info https://nodesecurity.io/advisories/654
Low Cryptographically Weak PRNG
Package randomatic
Dependency of http-proxy-middleware [dev]
Path http-proxy-middleware > micromatch > braces > expand-range > fill-range > randomatic
More info https://nodesecurity.io/advisories/157
I am not sure if this is the right place to post about the vulnerabilities warning I found, but I am getting these moderate warnings from gatsby-plugin-sharp regarding tunnel-agency package as you can see below
Closing this since a new gatsby
install now has no vulnerabilities after gatsby-plugin-sharp@2.0.16
After install I was warned by npm of many security issues. Here is what I am seeing These are all (except for a few) dependencies of gatsby