Gatsby: [gatsby] 4 vulnerabilities detected by new vscode extension `vscode-vuln-cost`

Created on 10 Apr 2020  路  15Comments  路  Source: gatsbyjs/gatsby

@wardpeet
I got installed new free vscode extension from snyk - it analyzes dependencies which has vulnerabilities in code import statements

https://marketplace.visualstudio.com/items?itemName=snyk-security.vscode-vuln-cost

I've opened my gatsby project and it shows 4 vulnerabilities in 'gatsby' package.

Description

Describe the issue that you're seeing.

Steps to reproduce

  1. install https://marketplace.visualstudio.com/items?itemName=snyk-security.vscode-vuln-cost to your vscode.

  2. open any gatsby project file which has import from 'gatsby' and wait till vscode extension analyze dependency graph

Expected result

Should be no vulnerabilities in project.

Actual result

extension detected 4 vulnerabilities in 'gatsby' project and printed 2 of them in details:

=== [email protected] ===

Indirect:
Medium Prototype Pollution in [email protected]
- https://snyk.io/vuln/SNYK-JS-DOTPROP-543489
Medium Prototype Pollution in [email protected]
- https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381

No remediation available.

Environment

ystem:
OS: macOS 10.15.4
CPU: (16) x64 Intel(R) Core(TM) i9-9980HK CPU @ 2.40GHz
Shell: 5.7.1 - /bin/zsh
Binaries:
Node: 13.12.0 - ~/.nvm/versions/node/v13.12.0/bin/node
Yarn: 1.22.4 - /usr/local/bin/yarn
npm: 6.14.4 - ~/.nvm/versions/node/v13.12.0/bin/npm
Languages:
Python: 2.7.16 - /usr/bin/python
Browsers:
Chrome: 80.0.3987.163
Firefox: 74.0
Safari: 13.1
npmPackages:
gatsby: 2.20.14 => 2.20.14
gatsby-plugin-catch-links: 2.2.1 => 2.2.1
gatsby-plugin-manifest: 2.3.3 => 2.3.3
gatsby-plugin-minify-classnames: 0.2.0 => 0.2.0
gatsby-plugin-no-sourcemaps: 2.2.0 => 2.2.0
gatsby-plugin-offline: 3.1.2 => 3.1.2
gatsby-plugin-purgecss: 5.0.0 => 5.0.0
gatsby-plugin-react-helmet: 3.2.1 => 3.2.1
gatsby-plugin-robots-txt: 1.5.0 => 1.5.0
gatsby-plugin-root-import: 2.0.5 => 2.0.5
gatsby-plugin-sitemap: 2.3.1 => 2.3.1
gatsby-plugin-sri: 1.1.0 => 1.1.0
gatsby-plugin-typescript: 2.3.1 => 2.3.1
gatsby-plugin-webpack-bundle-analyser-v2: 1.1.8 => 1.1.8
npmGlobalPackages:
gatsby: 2.20.10

stale? bug upstream
Source
picture JustFly1984

All 15 comments

Hiya!

This issue has gone quiet. Spooky quiet. 馃懟

We get a lot of issues, so we currently close issues after 30 days of inactivity. It鈥檚 been at least 20 days since the last update here.
If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request. Check out gatsby.dev/contribute for more information about opening PRs, triaging issues, and contributing!

Thanks for being a part of the Gatsby community! 馃挭馃挏

github-actions[bot] picture github-actions[bot] on 1 May 2020

Not stale!

JustFly1984 picture JustFly1984 on 1 May 2020
😄1

Any update here? Same problem

jonathanolsen picture jonathanolsen on 4 May 2020

Mind if I create a PR and try to fix?

patrickdemers6 picture patrickdemers6 on 5 May 2020

@patrickdemers6 @ashokdelphia is already on it.

wardpeet picture wardpeet on 7 May 2020
👍1

I'm having the same issue of @JustFly1984 and I'm watching these related issues:

https://github.com/yargs/yargs/pull/1544
https://github.com/yargs/yargs-parser/issues/270

jimmyandrade picture jimmyandrade on 8 May 2020

Hiya!

This issue has gone quiet. Spooky quiet. 馃懟

We get a lot of issues, so we currently close issues after 30 days of inactivity. It鈥檚 been at least 20 days since the last update here.
If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request. Check out gatsby.dev/contribute for more information about opening PRs, triaging issues, and contributing!

Thanks for being a part of the Gatsby community! 馃挭馃挏

github-actions[bot] picture github-actions[bot] on 28 May 2020

not stale!

JustFly1984 picture JustFly1984 on 29 May 2020
👍1

@pieh currently snyk vscode-vuln-cost reports 2 vulnerabilities for [email protected]

https://snyk.io/test/npm/gatsby/2.23.1

JustFly1984 picture JustFly1984 on 8 Jun 2020

Hiya!

This issue has gone quiet. Spooky quiet. 馃懟

We get a lot of issues, so we currently close issues after 30 days of inactivity. It鈥檚 been at least 20 days since the last update here.
If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request. Check out gatsby.dev/contribute for more information about opening PRs, triaging issues, and contributing!

Thanks for being a part of the Gatsby community! 馃挭馃挏

github-actions[bot] picture github-actions[bot] on 28 Jun 2020

Not stale! @wardpeet what is the status on the issue?

JustFly1984 picture JustFly1984 on 28 Jun 2020

These are new vulnerabilities, this will always happen. We'll make sure we keep our packages up to date through renovatebot.

wardpeet picture wardpeet on 29 Jun 2020

@wardpeet I would recommend you to remove ^ prefix in semver for every dependencies and devDependencies, and setup tests, cos some dependencies could have bugs or misconfiguration even in patch versions, which breaks gatsby - for example devcert accident - update from 1.1.0 to 1.1.1 broken gatsby in all of our projects for several days. Every package version update should be reviewed, not just blindly trusting npm to install latest minor/patch version.

PS do not remove ^ for peerDependencies.

JustFly1984 picture JustFly1984 on 29 Jun 2020
👍1

Hiya!

This issue has gone quiet. Spooky quiet. 馃懟

We get a lot of issues, so we currently close issues after 30 days of inactivity. It鈥檚 been at least 20 days since the last update here.
If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request. Check out gatsby.dev/contribute for more information about opening PRs, triaging issues, and contributing!

Thanks for being a part of the Gatsby community! 馃挭馃挏

github-actions[bot] picture github-actions[bot] on 20 Jul 2020

Hey again!

It鈥檚 been 30 days since anything happened on this issue, so our friendly neighborhood robot (that鈥檚 me!) is going to close it.
Please keep in mind that I鈥檓 only a robot, so if I鈥檝e closed this issue in error, I鈥檓 HUMAN_EMOTION_SORRY. Please feel free to reopen this issue or create a new one if you need anything else.
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request. Check out gatsby.dev/contribute for more information about opening PRs, triaging issues, and contributing!

Thanks again for being part of the Gatsby community! 馃挭馃挏

github-actions[bot] picture github-actions[bot] on 30 Jul 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

signalwerk picture signalwerk  路  3Comments
rossPatton picture rossPatton  路  3Comments
mikestopcontinues picture mikestopcontinues  路  3Comments
Oppenheimer1 picture Oppenheimer1  路  3Comments
theduke picture theduke  路  3Comments