gatsby-starter-builder icon indicating copy to clipboard operation
gatsby-starter-builder copied to clipboard

Published 20 hours ago verified publisher icon BuilderIO

highly vulnerable packages

Open j2l opened this issue 4 years ago • 0 comments

Hello,

At npm i added 1 package, removed 89 packages 20 vulnerabilities (9 low, 5 moderate, 6 high)

And npm audit fix --force can't fix 5 of the high severity ones.

npm audit details after --force:

# npm audit report

axios  <0.21.1
Severity: high
Server-Side Request Forgery - https://npmjs.com/advisories/1594
fix available via `npm audit fix`
node_modules/axios
  gatsby  2.10.1-resource-loading.10 - 2.10.1-structured-logs-test.128 || 2.13.37-cors-options.396 || 2.13.58 - 3.0.0-next.4
  Depends on vulnerable versions of axios
  Depends on vulnerable versions of terser-webpack-plugin
  node_modules/gatsby

immer  <8.0.1
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1603
fix available via `npm audit fix`
node_modules/immer
  @builder.io/react  >=0.1.20
  Depends on vulnerable versions of create-react-context
  Depends on vulnerable versions of immer
  node_modules/@builder.io/react
  node_modules/@builder.io/widgets/node_modules/@builder.io/react
    @builder.io/widgets  *
    Depends on vulnerable versions of @builder.io/react
    Depends on vulnerable versions of immer
    node_modules/@builder.io/widgets

node-fetch  <=2.6.0 || 3.0.0-beta.1 - 3.0.0-beta.8
Denial of Service - https://npmjs.com/advisories/1556
No fix available
node_modules/node-fetch
  @builder.io/gatsby  *
  Depends on vulnerable versions of node-fetch
  node_modules/@builder.io/gatsby
  isomorphic-fetch  2.0.0 - 2.2.1
  Depends on vulnerable versions of node-fetch
  node_modules/isomorphic-fetch
    fbjs  0.7.0 - 1.0.0
    Depends on vulnerable versions of isomorphic-fetch
    node_modules/fbjs
      create-react-context  0.2.0 - 0.2.3
      Depends on vulnerable versions of fbjs
      node_modules/create-react-context
        @builder.io/react  >=0.1.20
        Depends on vulnerable versions of create-react-context
        Depends on vulnerable versions of immer
        node_modules/@builder.io/react
        node_modules/@builder.io/widgets/node_modules/@builder.io/react
          @builder.io/widgets  *
          Depends on vulnerable versions of @builder.io/react
          Depends on vulnerable versions of immer
          node_modules/@builder.io/widgets

ssri  5.2.2 - 6.0.1 || 7.0.0 - 8.0.0
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/565
fix available via `npm audit fix`
node_modules/ssri
  cacache  10.0.4 - 11.0.0 || 13.0.0 - 14.0.0
  Depends on vulnerable versions of ssri
  node_modules/cacache
    terser-webpack-plugin  2.1.1 - 2.3.8
    Depends on vulnerable versions of cacache
    node_modules/terser-webpack-plugin
      gatsby  2.10.1-resource-loading.10 - 2.10.1-structured-logs-test.128 || 2.13.37-cors-options.396 || 2.13.58 - 3.0.0-next.4
      Depends on vulnerable versions of axios
      Depends on vulnerable versions of terser-webpack-plugin
      node_modules/gatsby

13 vulnerabilities (5 low, 3 moderate, 5 high)

I know, maintaining a nodejs project is such a pain. Good luck!

j2l avatar May 01 '21 09:05 j2l