Using webpack-dev-middleware results with npm audit high vulnerability
sebastian-kopiczko opened this issue · comments
Preliminary Checks
- This issue is not a duplicate. Before opening a new issue, please search existing issues: https://github.com/gatsbyjs/gatsby/issues
- This issue is not a question, feature request, RFC, or anything other than a bug report directly related to Gatsby. Please post those things in GitHub Discussions: https://github.com/gatsbyjs/gatsby/discussions
Description
Hi folks!
There is a webpack-dev-middleware usage in packages/gatsby/src/utils/start-server.ts which results with a high severity npm audit issue.
Version ^4.3.0 has some reported vulnerabilities, which were fixed in patched versions here
What is the ETA of updating the mentioned package?
Reproduction Link
gatsby/packages/gatsby/package.json
Line 174 in 5723972
Steps to Reproduce
Run npm audit on a fresh Gatsby project.
Expected Result
No high severity vulnerabilities found. webpack-dev-middleware should be bumped to v. 5.3.4 at least
Actual Result
A high severity vulnerability was found.
Environment
System:
OS: macOS 14.4.1
CPU: (8) arm64 Apple M1 Pro
Shell: 5.9 - /bin/zsh
Binaries:
Node: 18.12.1 - ~/.nvm/versions/node/v18.12.1/bin/node
Yarn: 1.22.19 - /usr/local/bin/yarn
npm: 8.19.2 - ~/.nvm/versions/node/v18.12.1/bin/npm
Browsers:
Chrome: 123.0.6312.106
Edge: 123.0.2420.65
Firefox: 123.0.1
Safari: 17.4.1
npmPackages:
gatsby: ^5.13.3 => 5.13.3Config Flags
No response
In the meantime adding this to your package.json will solve the issue:
{
...
"overrides": {
"webpack-dev-middleware": "^5.3.4"
}
}