-
Notifications
You must be signed in to change notification settings - Fork 10.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
npm audit security vulnerabilities #5335
Comments
Just started seeing the same. Happens even with a simple "gatsby new xxxx". |
I have seen similar vulnerability errors when trying to install the styled components and the react-next plugins. What can be done to clear these vulnerabilities? |
Looking at the info url for most of these vurnerabilities the dependencies need to update. Looks like most of them are caused by old versions of lodash, deep-extend, and mime. These issues probably existed for some time but are just surfacing now because npm aquired Lift Security. |
What versions of npm are you using? I've added a PR to fix the 'moderate' vulnerability. I'd love help updating other dependencies where possible. Note that Gatsby v1 uses webpack v1, so it might not be possible to fix issues where Gatsby is relying on webpack v1 compatible dependencies. This will most likely apply to dependencies based on Babel, webpack and PostCSS. A lot of these look like they'll need dependencies dependencies' to upgrade. |
Any progress on this? |
$ npm i gatsby@next
+ gatsby@2.0.0-beta.59
added 1474 packages from 992 contributors and audited 16096 packages in 60.533s
found 1 high severity vulnerability
$ npm audit
=== npm audit security report ===
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ws │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >= 1.1.5 <2.0.0 || >=3.3.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gatsby │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ gatsby > remote-redux-devtools > socketcluster-client > ws │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/550 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 high severity vulnerability in 16096 scanned packages It's in the aforementioned |
Resolving #6575 should remove this last high vulnerability. |
Like @roachnt I am getting Critical on "Command Injection" on |
=== npm audit security report === Run npm update macaddress --depth 5 to resolve 2 vulnerabilitiesCritical Command Injection Package macaddress Dependency of css-loader [dev] Path css-loader > cssnano > postcss-filter-plugins > uniqid > Critical Command Injection Package macaddress Dependency of cssnano [dev] Path cssnano > postcss-filter-plugins > uniqid > macaddress More info https://nodesecurity.io/advisories/654 Run npm update fill-range --depth 5 to resolve 1 vulnerabilityLow Cryptographically Weak PRNG Package randomatic Dependency of http-proxy-middleware [dev] Path http-proxy-middleware > micromatch > braces > expand-range > More info https://nodesecurity.io/advisories/157 |
Closing this since a new |
After install I was warned by npm of many security issues. Here is what I am seeing
These are all (except for a few) dependencies of gatsby
The text was updated successfully, but these errors were encountered: