Skip to content

gatsby@5.14.3 includes multer as a direct dependency #39304

New issue
New issue
Closed
#39307
Closed
gatsby@5.14.3 includes multer as a direct dependency#39304
#39307
Labels
status: triage neededIssue or pull request that need to be triaged and assigned to a reviewertype: bugAn issue or pull request relating to a bug in Gatsby
@kelseyn12

Description

@kelseyn12
kelseyn12
opened on May 20, 2025

Preliminary Checks

Description

While using gatsby@5.14.3, npm explain multer shows that Gatsby directly depends on multer@1.4.5-lts.1, which is vulnerable (GHSA-whgm-jr23-g3j9).

I’m not using any file-upload functionality, and there’s no plugin pulling it in — it appears to come straight from Gatsby core.

Can this be removed or made optional?

Thanks for all your work on Gatsby

Reproduction Link

https://github.com/gatsbyjs/gatsby-starter-minimal

Steps to Reproduce

  1. Run npm install gatsby@5.14.3
  2. Run npm explain multer
  3. See that multer@1.4.5-lts.1 is included directly by Gatsby

Expected Result

Gatsby should not include multer directly, as it is not needed for typical usage and brings in a high-severity vulnerability.

Actual Result

gatsby@5.14.3 includes multer@1.4.5-lts.1 as a direct dependency, even though it's not required by any plugin or used in the project. This triggers a Dependabot alert for a known DoS vulnerability (GHSA-whgm-jr23-g3j9).

Environment

npx gatsby info --clipboard

Config Flags

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    status: triage neededIssue or pull request that need to be triaged and assigned to a reviewertype: bugAn issue or pull request relating to a bug in Gatsby

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions