Gatsby: 5 high severity vulnerabilities when installing gatsby-source-contentful, all related to utils-extend npm package

Created on 1 Jun 2020 · 15Comments · Source: gatsbyjs/gatsby

Description

NPM install found 5 high severity vulnerabilities

Steps to reproduce

npm init
npm install --save gatsby-source-contentful

Expected result

The package shouldn't contain anything above medium severity vulnerabilities.

Actual result

npm audit and npm audit fix leave 5 high severity vulnerabilities, all are related to utils-extend which hasn't been updated in more than 5 years

Environment

Empty project, and currently ongoing projects leave the same warnings.

confirmed Contentful bug

Source

Standby78

👍18

Most helpful comment

This will be fixed in the next major version as it requires potentially breaking refactoring to get rid of these dependencies.

See #25249

axe312ger on 30 Jun 2020

👍10

All 15 comments

@vladar as far as I remember we as plugin maintainers should not touch the yarn.lock in PRs.

How should be proceed?

axe312ger on 5 Jun 2020

I think you can touch yarn.lock. It is just for monorepo (tests, local development, publishing, etc). When someone installs contentful plugin, yarn.lock of the monorepo is not used in any way.

So you can update the dependency in package.json of the plugin and run yarn in the monorepo root to update yarn.lock.

Check this PR for example: https://github.com/gatsbyjs/gatsby/pull/24788

vladar on 5 Jun 2020

@vladar 🆗

axe312ger on 10 Jun 2020

Okay I check this in detail. https://www.npmjs.com/package/base64-img wasn't updated for a while and the way we implement it, we do a request to Contentful every time we need a base64 version of an image.

I guess we should do the following:

Remove base64-img, gatsby-source-contentful is the only core package using it
Download the image via createRemoteFileNode. Or direct download & cache them in a separate folder. We won't need them in GraphQL.
Read the file via await fs.readFile('/path/to/file.jpg', {encoding: 'base64'});

This should:

Get rid of the mentioned security vulnerabilities
Replace an old package with node/core functionallity
May reduce the build time when doing recurring builds

axe312ger on 10 Jun 2020

Related: #24220

axe312ger on 10 Jun 2020

Will this vulnerability can have any impact on a production gatsby site?

gp1234 on 18 Jun 2020

No as the code won't be executed at all in a production environment :)

axe312ger on 23 Jun 2020

🎉2

This will be fixed in the next major version as it requires potentially breaking refactoring to get rid of these dependencies.

See #25249

axe312ger on 30 Jun 2020

👍10

@axe312ger I just wanted to follow up on this i installed the latest next package and I'm still getting the vulnerability error.

MikeyUchiha on 8 Aug 2020

@MikeyUchiha sorry, there is no fix implemented yet in that version. We probably have to postone it further except somebody picks it up.

We still need to change the base64 behavior as mentioned in https://github.com/gatsbyjs/gatsby/issues/24679#issuecomment-641885490 to get rid of all security issues

axe312ger on 12 Aug 2020

There is a ticket for changing the base64 behaviour: https://github.com/gatsbyjs/gatsby/issues/24220

axe312ger on 12 Aug 2020

@axe312ger Thank you for the update!

MikeyUchiha on 12 Aug 2020

As https://github.com/gatsbyjs/gatsby/pull/25249 was merged and released I'll close this one.