question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

After a fresh install of Gatsby I got problems was required audit fix

See original GitHub issue

Description

After install gatsby packcage I get --> 10 vulnerabilities (5 moderate, 5 high) Update an old project with gatsby v2 drives to a similar situation (I know this is another problem, but I got here testing if a new version free me of this problems)

Audit fix doesn’t fix anything

Steps to reproduce

npm install --save react react-dom gatsby

Expected result

0 vulnerabilities

Actual result

npm audit report

postcss 7.0.0 - 8.2.9 Severity: moderate Regular Expression Denial of Service - https://npmjs.com/advisories/1693 fix available via npm audit fix --force Will install gatsby@2.32.13, which is a breaking change node_modules/postcss gatsby 2.6.1-ink-node6.16 - 2.6.1-ink-node6.17 || 2.18.13-telemetry-test.2972 - 2.18.13-telemetry-test.2976 || >=2.22.12 Depends on vulnerable versions of gatsby-cli Depends on vulnerable versions of postcss node_modules/gatsby babel-plugin-remove-graphql-queries >=2.17.0-next.0 Depends on vulnerable versions of gatsby node_modules/babel-plugin-remove-graphql-queries gatsby-plugin-page-creator >=2.11.0-next.0 Depends on vulnerable versions of gatsby node_modules/gatsby-plugin-page-creator gatsby-plugin-typescript >=2.13.0-next.0 Depends on vulnerable versions of gatsby node_modules/gatsby-plugin-typescript gatsby-plugin-utils >=0.10.0-next.0 Depends on vulnerable versions of gatsby node_modules/gatsby-plugin-utils

trim <0.0.3 Severity: high Regular Expression Denial of Service in trim - https://npmjs.com/advisories/1700 fix available via npm audit fix --force Will install gatsby@2.32.13, which is a breaking change node_modules/trim remark-parse <=8.0.3 Depends on vulnerable versions of trim node_modules/remark-parse gatsby-recipes 0.0.7-unifiedroutes.76 - 0.0.7-unifiedroutes-v2.135 || >=0.1.31 Depends on vulnerable versions of remark-parse node_modules/gatsby-recipes gatsby-cli 2.8.20-telemetry-test.2972 - 2.8.20-telemetry-test.2976 || 2.11.10-unifiedroutes.76 - 2.11.10-unifiedroutes-v2.135 || >=2.12.37 Depends on vulnerable versions of gatsby-recipes node_modules/gatsby-cli gatsby 2.6.1-ink-node6.16 - 2.6.1-ink-node6.17 || 2.18.13-telemetry-test.2972 - 2.18.13-telemetry-test.2976 || >=2.22.12 Depends on vulnerable versions of gatsby-cli Depends on vulnerable versions of postcss node_modules/gatsby babel-plugin-remove-graphql-queries >=2.17.0-next.0 Depends on vulnerable versions of gatsby node_modules/babel-plugin-remove-graphql-queries gatsby-plugin-page-creator >=2.11.0-next.0 Depends on vulnerable versions of gatsby node_modules/gatsby-plugin-page-creator gatsby-plugin-typescript >=2.13.0-next.0 Depends on vulnerable versions of gatsby node_modules/gatsby-plugin-typescript gatsby-plugin-utils >=0.10.0-next.0 Depends on vulnerable versions of gatsby node_modules/gatsby-plugin-utils

10 vulnerabilities (5 moderate, 5 high)

To address issues that do not require attention, run: npm audit fix

To address all issues (including breaking changes), run: npm audit fix --force

Environment

System: OS: Linux 5.4 Ubuntu 20.04.2 LTS (Focal Fossa) CPU: (12) x64 AMD Ryzen 5 3600 6-Core Processor Shell: 5.8 - /usr/bin/zsh Binaries: Node: 14.16.1 - /usr/bin/node npm: 7.12.1 - /usr/bin/npm npmPackages: gatsby: ^3.5.0 => 3.5.0

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Reactions:1
  • Comments:5 (1 by maintainers)

github_iconTop GitHub Comments

13reactions
meeracommented, May 27, 2021

I get similar warning manual review flags postcss, trim and browserslist packages. ‘Regular Expression Denial of Service in trim’ is high.

This doesn’t affect the functionality - but ignoring it isn’t the solution.

5reactions
el7cosmoscommented, May 14, 2021

@LekoArts maybe those messages won’t affect the finished site, but they break builds on CI

Read more comments on GitHub >

github_iconTop Results From Across the Web

Error 11903 when developing first gatsby project
The Gatsby Github repo has a couple of issues involving non-ASCII characters in paths that appeared to have been closed due to inactivity ......
Read more >
Don't be alarmed by vulnerabilities after running NPM Install
The NPM audit command is checking all dependencies, including those someone else has setup. Let's take a look at two of these. You...
Read more >
Troubleshooting Common Errors - Gatsby
Try running npm list sharp or yarn why sharp to see all packages in the current project that use sharp and try updating...
Read more >
How To Convert a Gatsby Site to a Progressive Web App
This tutorial will walk you through using these plugins, as well as audit tools like Lighthouse, and by the end you will have...
Read more >
Gatsby Changelog | 5.3.0
Install gatsby @next and let us know if you have any issues. Previous release notes ... We are focused on your feedback and...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found