Gatsby: npm audit security vulnerabilities

Created on 21 Mar 2020  路  2Comments  路  Source: gatsbyjs/gatsby

Description

After install gatsby I was notified with this:

Run npm update mkdirp --depth 5 to resolve 1 vulnerability

Low Prototype Pollution

Package minimist

Dependency of gatsby

Path gatsby > eslint-loader > loader-fs-cache > find-cache-dir >
mkdirp > minimist

More info https://npmjs.com/advisories/1179

                             Manual Review
         Some vulnerabilities require your attention to resolve

      Visit https://go.npm.me/audit-guide for additional guidance

Low Prototype Pollution

Package minimist

Patched in >=0.2.1 <1.0.0 || >=1.2.3

Dependency of gatsby

Path gatsby > eslint-loader > loader-fs-cache > mkdirp > minimist

More info https://npmjs.com/advisories/1179

found 2 low severity vulnerabilities in 24298 scanned packages
run npm audit fix to fix 1 of them.
1 vulnerability requires manual review. See the full report for details.

Run gastby new shows:

found 52 vulnerabilities (43 low, 9 high)
run npm audit fix to fix them, or npm audit for details
info Initialising git in test
Initialized empty Git repository in D:/Projects/CS/test/.git/
info Create initial git commit in test
info
Your new Gatsby site has been successfully bootstrapped. Start developing it by running:

cd test
gatsby develop

Steps to reproduce

npm install --save react react-dom gatsby node-sass gatsby-plugin-sass gatsby-plugin-react-helmet react-helmet

Environment

System:
OS: Windows 10 10.0.18363
CPU: (4) x64 Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz
Binaries:
Node: 12.16.1 - C:\Program Files\nodejs\node.EXE
npm: 6.13.4 - C:\Program Files\nodejs\npm.CMD
Languages:
Python: 3.8.2
Browsers:
Edge: 44.18362.449.0
npmPackages:
gatsby: ^2.20.2 => 2.20.2
gatsby-plugin-react-helmet: ^3.2.0 => 3.2.0
gatsby-plugin-sass: ^2.2.0 => 2.2.0

My packcage.json:

{
"name": "personal-page",
"description": "My personal page",
"author": "@carloslsilva",
"private": true,
"scripts": {
"start": "npm run develop",
"develop": "gatsby develop",
"build": "gatsby build",
"serve": "gatsby serve",
"clean": "gatsby clean",
"test": "echo \"Write tests! -> https://gatsby.dev/unit-testing \"",
"format": "prettier --write \"*/.{js,jsx,json,md,css,scss}\""
},
"license": "ISC",
"dependencies": {
"gatsby": "^2.20.2",
"gatsby-plugin-react-helmet": "^3.2.0",
"gatsby-plugin-sass": "^2.2.0",
"node-sass": "^4.13.1",
"react": "^16.13.1",
"react-dom": "^16.13.1",
"react-helmet": "^5.2.1"
},
"devDependencies": {
"prettier": "^1.19.1"
}
}

bug
Source
picture carloslsilva

Most helpful comment

@carloslsilva yarn audit shows 105784 vulnerabilites. if there is a plan to fix this, I would like to take this up. (Fixing one package at a time...).
Screenshot 2020-03-22 at 3 37 27 AM

picture udaypydi on 21 Mar 2020
👍2

All 2 comments

@carloslsilva yarn audit shows 105784 vulnerabilites. if there is a plan to fix this, I would like to take this up. (Fixing one package at a time...).
Screenshot 2020-03-22 at 3 37 27 AM

udaypydi picture udaypydi on 21 Mar 2020
👍2

This is a duplicate of https://github.com/gatsbyjs/gatsby/issues/22385

LekoArts picture LekoArts on 23 Mar 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

totsteps picture totsteps  路  3Comments
jimfilippou picture jimfilippou  路  3Comments
hobochild picture hobochild  路  3Comments
ferMartz picture ferMartz  路  3Comments
dustinhorton picture dustinhorton  路  3Comments