Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[gatsby] 4 vulnerabilities detected by new vscode extension vscode-vuln-cost #23004

Closed
JustFly1984 opened this issue Apr 10, 2020 · 15 comments
Closed

[gatsby] 4 vulnerabilities detected by new vscode extension vscode-vuln-cost #23004

JustFly1984 opened this issue Apr 10, 2020 · 15 comments
Labels
stale? Issue that may be closed soon due to the original author not responding any more. type: bug An issue or pull request relating to a bug in Gatsby type: upstream Issues outside of Gatsby's control, caused by dependencies

Comments

@JustFly1984
Copy link

JustFly1984 commented Apr 10, 2020
edited
Loading

@wardpeet
I got installed new free vscode extension from snyk - it analyzes dependencies which has vulnerabilities in code import statements

https://marketplace.visualstudio.com/items?itemName=snyk-security.vscode-vuln-cost

I've opened my gatsby project and it shows 4 vulnerabilities in 'gatsby' package.

Description

Describe the issue that you're seeing.

Steps to reproduce

  1. install https://marketplace.visualstudio.com/items?itemName=snyk-security.vscode-vuln-cost to your vscode.

  2. open any gatsby project file which has import from 'gatsby' and wait till vscode extension analyze dependency graph

Expected result

Should be no vulnerabilities in project.

Actual result

extension detected 4 vulnerabilities in 'gatsby' project and printed 2 of them in details:

=== gatsby@2.20.14 ===

Indirect:
Medium Prototype Pollution in dot-prop@4.2.0
- https://snyk.io/vuln/SNYK-JS-DOTPROP-543489
Medium Prototype Pollution in yargs-parser@11.1.1
- https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381

No remediation available.

Environment

ystem:
OS: macOS 10.15.4
CPU: (16) x64 Intel(R) Core(TM) i9-9980HK CPU @ 2.40GHz
Shell: 5.7.1 - /bin/zsh
Binaries:
Node: 13.12.0 - ~/.nvm/versions/node/v13.12.0/bin/node
Yarn: 1.22.4 - /usr/local/bin/yarn
npm: 6.14.4 - ~/.nvm/versions/node/v13.12.0/bin/npm
Languages:
Python: 2.7.16 - /usr/bin/python
Browsers:
Chrome: 80.0.3987.163
Firefox: 74.0
Safari: 13.1
npmPackages:
gatsby: 2.20.14 => 2.20.14
gatsby-plugin-catch-links: 2.2.1 => 2.2.1
gatsby-plugin-manifest: 2.3.3 => 2.3.3
gatsby-plugin-minify-classnames: 0.2.0 => 0.2.0
gatsby-plugin-no-sourcemaps: 2.2.0 => 2.2.0
gatsby-plugin-offline: 3.1.2 => 3.1.2
gatsby-plugin-purgecss: 5.0.0 => 5.0.0
gatsby-plugin-react-helmet: 3.2.1 => 3.2.1
gatsby-plugin-robots-txt: 1.5.0 => 1.5.0
gatsby-plugin-root-import: 2.0.5 => 2.0.5
gatsby-plugin-sitemap: 2.3.1 => 2.3.1
gatsby-plugin-sri: 1.1.0 => 1.1.0
gatsby-plugin-typescript: 2.3.1 => 2.3.1
gatsby-plugin-webpack-bundle-analyser-v2: 1.1.8 => 1.1.8
npmGlobalPackages:
gatsby: 2.20.10
@JustFly1984 JustFly1984 added the type: bug An issue or pull request relating to a bug in Gatsby label Apr 10, 2020
@github-actions
Copy link

github-actions bot commented May 1, 2020

Hiya!

This issue has gone quiet. Spooky quiet. 👻

We get a lot of issues, so we currently close issues after 30 days of inactivity. It’s been at least 20 days since the last update here.
If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request. Check out gatsby.dev/contribute for more information about opening PRs, triaging issues, and contributing!

Thanks for being a part of the Gatsby community! 💪💜

@github-actions github-actions bot added the stale? Issue that may be closed soon due to the original author not responding any more. label May 1, 2020
@JustFly1984
Copy link
Author

Not stale!

@github-actions github-actions bot removed the stale? Issue that may be closed soon due to the original author not responding any more. label May 1, 2020
@dumplingsol
Copy link

Any update here? Same problem

@patrickdemers6
Copy link

Mind if I create a PR and try to fix?

@ashokdelphia ashokdelphia mentioned this issue May 6, 2020
Merged
@wardpeet
Copy link
Contributor

wardpeet commented May 7, 2020

@patrickdemers6 @ashokdelphia is already on it.

@jimmyandrade
Copy link

I'm having the same issue of @JustFly1984 and I'm watching these related issues:

yargs/yargs#1544
yargs/yargs-parser#270

@github-actions
Copy link

Hiya!

This issue has gone quiet. Spooky quiet. 👻

We get a lot of issues, so we currently close issues after 30 days of inactivity. It’s been at least 20 days since the last update here.
If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request. Check out gatsby.dev/contribute for more information about opening PRs, triaging issues, and contributing!

Thanks for being a part of the Gatsby community! 💪💜

@github-actions github-actions bot added the stale? Issue that may be closed soon due to the original author not responding any more. label May 28, 2020
@JustFly1984
Copy link
Author

not stale!

@github-actions github-actions bot removed the stale? Issue that may be closed soon due to the original author not responding any more. label May 29, 2020
@danabrit danabrit added the type: upstream Issues outside of Gatsby's control, caused by dependencies label May 29, 2020
@martijnsenden martijnsenden mentioned this issue Jun 3, 2020
Closed
@JustFly1984
Copy link
Author

@pieh currently snyk vscode-vuln-cost reports 2 vulnerabilities for gatsby@2.23.1

https://snyk.io/test/npm/gatsby/2.23.1

@github-actions
Copy link

Hiya!

This issue has gone quiet. Spooky quiet. 👻

We get a lot of issues, so we currently close issues after 30 days of inactivity. It’s been at least 20 days since the last update here.
If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request. Check out gatsby.dev/contribute for more information about opening PRs, triaging issues, and contributing!

Thanks for being a part of the Gatsby community! 💪💜

@github-actions github-actions bot added the stale? Issue that may be closed soon due to the original author not responding any more. label Jun 28, 2020
@JustFly1984
Copy link
Author

Not stale! @wardpeet what is the status on the issue?

@github-actions github-actions bot removed the stale? Issue that may be closed soon due to the original author not responding any more. label Jun 29, 2020
@wardpeet
Copy link
Contributor

These are new vulnerabilities, this will always happen. We'll make sure we keep our packages up to date through renovatebot.

@JustFly1984
Copy link
Author

JustFly1984 commented Jun 29, 2020
edited
Loading

@wardpeet I would recommend you to remove ^ prefix in semver for every dependencies and devDependencies, and setup tests, cos some dependencies could have bugs or misconfiguration even in patch versions, which breaks gatsby - for example devcert accident - update from 1.1.0 to 1.1.1 broken gatsby in all of our projects for several days. Every package version update should be reviewed, not just blindly trusting npm to install latest minor/patch version.

PS do not remove ^ for peerDependencies.

@github-actions
Copy link

Hiya!

This issue has gone quiet. Spooky quiet. 👻

We get a lot of issues, so we currently close issues after 30 days of inactivity. It’s been at least 20 days since the last update here.
If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request. Check out gatsby.dev/contribute for more information about opening PRs, triaging issues, and contributing!

Thanks for being a part of the Gatsby community! 💪💜

@github-actions github-actions bot added the stale? Issue that may be closed soon due to the original author not responding any more. label Jul 20, 2020
@github-actions
Copy link

Hey again!

It’s been 30 days since anything happened on this issue, so our friendly neighborhood robot (that’s me!) is going to close it.
Please keep in mind that I’m only a robot, so if I’ve closed this issue in error, I’m HUMAN_EMOTION_SORRY. Please feel free to reopen this issue or create a new one if you need anything else.
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request. Check out gatsby.dev/contribute for more information about opening PRs, triaging issues, and contributing!

Thanks again for being part of the Gatsby community! 💪💜

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stale? Issue that may be closed soon due to the original author not responding any more. type: bug An issue or pull request relating to a bug in Gatsby type: upstream Issues outside of Gatsby's control, caused by dependencies
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@danabrit @dumplingsol @wardpeet @JustFly1984 @jimmyandrade @patrickdemers6