gatsby-starter-wordpress-blog icon indicating copy to clipboard operation
gatsby-starter-wordpress-blog copied to clipboard

Published 20 hours ago verified publisher icon gatsbyjs

New project fails on NPM install

Open PreciousFlorist opened this issue 1 year ago • 0 comments

After instantiating a fresh install, an NPM audit identifies the following errors:

  1. engine.io (moderate severity): This vulnerability is related to uncaught exceptions in engine.io, which could lead to unexpected application behavior. More details are available here: https://github.com/advisories/GHSA-r7qp-cfhv-p84w

  2. file-type (high severity): This vulnerability is associated with an infinite loop when processing a malformed MKV file. More details can be found here: https://github.com/advisories/GHSA-mhxj-85r3-2x55

  3. immer (critical severity): This vulnerability is caused by prototype pollution in the immer package. Prototype pollution can allow attackers to modify an application's behavior, potentially leading to various security issues. More details are available here:

    • https://github.com/advisories/GHSA-c36v-fmgq-m8hx
    • https://github.com/advisories/GHSA-33f9-j839-rf8h
    • https://github.com/advisories/GHSA-9qmh-276g-x5pj
engine.io  4.0.0 - 6.2.0
Severity: moderate
Uncaught exception in engine.io - https://github.com/advisories/GHSA-r7qp-cfhv-p84w
fix available via `npm audit fix --force`
Will install [email protected], which is outside the stated dependency range
node_modules/engine.io
  socket.io  3.0.0-rc1 - 4.4.1
  Depends on vulnerable versions of engine.io
  node_modules/socket.io
    gatsby  2.32.8 - 4.25.4-alpha-initial-webhook-body.2 || 5.0.0-alpha-drupal-proxyurl.11 - 5.4.0-next.3
    Depends on vulnerable versions of socket.io
    node_modules/gatsby

file-type  13.0.0 - 16.5.3
Severity: high
file-type vulnerable to Infinite Loop via malformed MKV file - https://github.com/advisories/GHSA-mhxj-85r3-2x55
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/gatsby-source-wordpress/node_modules/file-type
  gatsby-source-wordpress  3.11.0-alpha-wordpress.44 - 3.11.0-next.0 || >=3.12.0-next.0
  Depends on vulnerable versions of @rematch/immer
  Depends on vulnerable versions of file-type
  node_modules/gatsby-source-wordpress

immer  <=9.0.5
Severity: critical
Prototype Pollution in immer - https://github.com/advisories/GHSA-c36v-fmgq-m8hx
Prototype Pollution in immer - https://github.com/advisories/GHSA-33f9-j839-rf8h
Prototype Pollution in immer - https://github.com/advisories/GHSA-9qmh-276g-x5pj
fix available via `npm audit fix`
node_modules/immer
  @rematch/immer  *
  Depends on vulnerable versions of immer
  node_modules/@rematch/immer

7 vulnerabilities (3 moderate, 3 high, 1 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

PreciousFlorist avatar May 02 '23 22:05 PreciousFlorist