Using webpack-dev-middleware results with npm audit high vulnerability

[sebastian-kopiczko]

Preliminary Checks

• [X] This issue is not a duplicate. Before opening a new issue, please search existing issues: https://github.com/gatsbyjs/gatsby/issues
• [X] This issue is not a question, feature request, RFC, or anything other than a bug report directly related to Gatsby. Please post those things in GitHub Discussions: https://github.com/gatsbyjs/gatsby/discussions

Description

Hi folks!

There is a webpack-dev-middleware usage in packages/gatsby/src/utils/start-server.ts which results with a high severity npm audit issue.

Version ^4.3.0 has some reported vulnerabilities, which were fixed in patched versions here

What is the ETA of updating the mentioned package?

Reproduction Link

https://github.com/gatsbyjs/gatsby/blob/5723972ebfa2c5cc56cb822daa4a026e4cdaf11d/packages/gatsby/package.json#L174

Steps to Reproduce

Run npm audit on a fresh Gatsby project.

Expected Result

No high severity vulnerabilities found. webpack-dev-middleware should be bumped to v. 5.3.4 at least

Actual Result

A high severity vulnerability was found.

Environment

System:
    OS: macOS 14.4.1
    CPU: (8) arm64 Apple M1 Pro
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 18.12.1 - ~/.nvm/versions/node/v18.12.1/bin/node
    Yarn: 1.22.19 - /usr/local/bin/yarn
    npm: 8.19.2 - ~/.nvm/versions/node/v18.12.1/bin/npm
  Browsers:
    Chrome: 123.0.6312.106
    Edge: 123.0.2420.65
    Firefox: 123.0.1
    Safari: 17.4.1
  npmPackages:
    gatsby: ^5.13.3 => 5.13.3

Config Flags

No response

[marijoo]

In the meantime adding this to your package.json will solve the issue:

{
  ...
  "overrides": {
    "webpack-dev-middleware": "^5.3.4"
  }
}