"Found 9 high severity vulerablilities"

[jordanlesich]

BUG:
Command prompt discovers high severity vulnerabilities when installing plugins.

I am running Windows OS 18362.592. Gatsby CLI was npm installed today. Node is version 12.14.1

I am recieving this alert when I install a plugin. The plugin was the gatsby-source-filesystem, but it doesn't really matter becuase I tested it out with different plugins and recieved the same alerts.

found 9 high severity vulnerabilities
run npm audit fix to fix them, or npm audit for details

I ran npm audit and recieved this:

fixed 0 of 9 vulnerabilities in 23125 scanned packages
9 vulnerabilities required manual review and could not be updated

I'm new to Gatsby. I'm assuming that a 'high severity vulerability' probably means I should wait for this to be fixed before putting together a project, right?

Also, my desktop simply would not install any Gatsby plugin. There isn't much in the way of shared software on either machine. Both machines have no problem running other Node apps, React, or CRA. This could be the same problem, but I'm not sure at all.

[DSchau]

I am recieving this alert when I install a plugin

Could you share the full alert? It'll be helpful for us to debug.

I'm assuming that a 'high severity vulerability' probably means I should wait for this to be fixed before putting together a project, right?

Not necessarily. These bugs tend to range from various attack vectors, and it could simply be a devDependency (which wouldn't make its way into production code). This being said, it is probably a good idea to try and get them fixed, so thanks for opening this!

Also, my desktop simply would not install any Gatsby plugin

This may be the root of the problem. What do you mean "would not install," exactly?

[jordanlesich]

Thank you for reply!

Here's what I get when I try to load a the gatsby-source-filesystem in my project folder

`C:\Users\Jordan>cd C:\Users\Jordan\Documents\Repos\pro-gatsby-2\testproject

C:\Users\Jordan\Documents\Repos\pro-gatsby-2\testproject>npm install --save gatsby-source-filesystem
npm WARN tsutils@3.17.1 requires a peer of typescript@>=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.6.0-beta || >= 3.7.0-dev || >= 3.7.0-beta but none is installed. You must install peer dependencies yourself.
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@2.1.2 (node_modules\chokidar\node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@2.1.2: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.11 (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.11: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})

• gatsby-source-filesystem@2.1.48
  added 3 packages from 3 contributors and audited 23234 packages in 19.142s

41 packages are looking for funding
run npm fund for details

found 9 high severity vulnerabilities
run npm audit fix to fix them, or npm audit for details
`

and when I run npm audit fix:

C:\Users\Jordan\Documents\Repos\pro-gatsby-2\testproject>npm audit fix
npm WARN tsutils@3.17.1 requires a peer of typescript@>=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.6.0-beta || >= 3.7.0-dev || >= 3.7.0-beta but none is installed. You must install peer dependencies yourself.
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@2.1.2 (node_modules\chokidar\node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@2.1.2: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.11 (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.11: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})

up to date in 12.462s

41 packages are looking for funding
run npm fund for details

fixed 0 of 9 vulnerabilities in 23234 scanned packages
9 vulnerabilities required manual review and could not be updated

[jordanlesich]

What do you mean "would not install," exactly?
In the case of my desktop, plugins either failed on npm install --save, or they littered the command prompt windows with warnings like:

npm WARN rm not removing C:\Users\Jordan\Documents\Repos\Gatsby-Tutorials\hello-world\tutorial-part-three\node_modules\.bin\semver as it wasn't installed by C:\Users\Jordan\Documents\Repos\Gatsby-Tutorials\hello-world\tutorial-part-three\node_modules\semver*

and then when I would try to enter the plugin into my .config, node modules would not be able to locate the files.

In the case of the laptop, I actually haven't tried loading it into the config yet. I just wanted to me sure before I went ahead and usedanything with severe vulnerabilities. Still new to this.

[jordanlesich]

Again, thank you for the reply.

[vladar]

A bit more info: all 9 audit errors are produced by the same upstream dependency decompress:

  High            Arbitrary File Write
  Package         decompress
  Patched in      No patch available
  Dependency of   gatsby-plugin-sharp
  Path            gatsby-plugin-sharp > imagemin-mozjpeg > mozjpeg > bin-build
                  > decompress
  More info       https://npmjs.com/advisories/1217

We depend on it indirectly - via 9 sharp dependencies. I guess we can only wait when the fix for this is released and upgrade deps after this.

[vladar]

But this is a duplicate of #21791 So I am going to close this one. Let's keep the discussion around it in one place.

[vladar]

Sorry, this is mostly for my own understanding, but how is this related to the error that I had? I hadn't installed either of these plugins.

@jordanlesich gatsby-plugin-sharp has those dependencies as it's sub-dependencies. So if you have gatsby-plugin-shart (or gatsby-transformer-sharp) they are installed for you by npm.