After a fresh install of Gatsby I got problems was required audit fix
See original GitHub issueDescription
After install gatsby packcage I get --> 10 vulnerabilities (5 moderate, 5 high) Update an old project with gatsby v2 drives to a similar situation (I know this is another problem, but I got here testing if a new version free me of this problems)
Audit fix doesn’t fix anything
Steps to reproduce
npm install --save react react-dom gatsby
Expected result
0 vulnerabilities
Actual result
npm audit report
postcss 7.0.0 - 8.2.9
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1693
fix available via npm audit fix --force
Will install gatsby@2.32.13, which is a breaking change
node_modules/postcss
gatsby 2.6.1-ink-node6.16 - 2.6.1-ink-node6.17 || 2.18.13-telemetry-test.2972 - 2.18.13-telemetry-test.2976 || >=2.22.12
Depends on vulnerable versions of gatsby-cli
Depends on vulnerable versions of postcss
node_modules/gatsby
babel-plugin-remove-graphql-queries >=2.17.0-next.0
Depends on vulnerable versions of gatsby
node_modules/babel-plugin-remove-graphql-queries
gatsby-plugin-page-creator >=2.11.0-next.0
Depends on vulnerable versions of gatsby
node_modules/gatsby-plugin-page-creator
gatsby-plugin-typescript >=2.13.0-next.0
Depends on vulnerable versions of gatsby
node_modules/gatsby-plugin-typescript
gatsby-plugin-utils >=0.10.0-next.0
Depends on vulnerable versions of gatsby
node_modules/gatsby-plugin-utils
trim <0.0.3
Severity: high
Regular Expression Denial of Service in trim - https://npmjs.com/advisories/1700
fix available via npm audit fix --force
Will install gatsby@2.32.13, which is a breaking change
node_modules/trim
remark-parse <=8.0.3
Depends on vulnerable versions of trim
node_modules/remark-parse
gatsby-recipes 0.0.7-unifiedroutes.76 - 0.0.7-unifiedroutes-v2.135 || >=0.1.31
Depends on vulnerable versions of remark-parse
node_modules/gatsby-recipes
gatsby-cli 2.8.20-telemetry-test.2972 - 2.8.20-telemetry-test.2976 || 2.11.10-unifiedroutes.76 - 2.11.10-unifiedroutes-v2.135 || >=2.12.37
Depends on vulnerable versions of gatsby-recipes
node_modules/gatsby-cli
gatsby 2.6.1-ink-node6.16 - 2.6.1-ink-node6.17 || 2.18.13-telemetry-test.2972 - 2.18.13-telemetry-test.2976 || >=2.22.12
Depends on vulnerable versions of gatsby-cli
Depends on vulnerable versions of postcss
node_modules/gatsby
babel-plugin-remove-graphql-queries >=2.17.0-next.0
Depends on vulnerable versions of gatsby
node_modules/babel-plugin-remove-graphql-queries
gatsby-plugin-page-creator >=2.11.0-next.0
Depends on vulnerable versions of gatsby
node_modules/gatsby-plugin-page-creator
gatsby-plugin-typescript >=2.13.0-next.0
Depends on vulnerable versions of gatsby
node_modules/gatsby-plugin-typescript
gatsby-plugin-utils >=0.10.0-next.0
Depends on vulnerable versions of gatsby
node_modules/gatsby-plugin-utils
10 vulnerabilities (5 moderate, 5 high)
To address issues that do not require attention, run: npm audit fix
To address all issues (including breaking changes), run: npm audit fix --force
Environment
System: OS: Linux 5.4 Ubuntu 20.04.2 LTS (Focal Fossa) CPU: (12) x64 AMD Ryzen 5 3600 6-Core Processor Shell: 5.8 - /usr/bin/zsh Binaries: Node: 14.16.1 - /usr/bin/node npm: 7.12.1 - /usr/bin/npm npmPackages: gatsby: ^3.5.0 => 3.5.0
Issue Analytics
- State:
- Created 2 years ago
- Reactions:1
- Comments:5 (1 by maintainers)
Top GitHub Comments
I get similar warning manual review flags postcss, trim and browserslist packages. ‘Regular Expression Denial of Service in trim’ is high.
This doesn’t affect the functionality - but ignoring it isn’t the solution.
@LekoArts maybe those messages won’t affect the finished site, but they break builds on CI