5 high severity vulnerabilities when installing gatsby-source-contentful, all related to utils-extend npm package

[Standby78]

Description

NPM install found 5 high severity vulnerabilities

Steps to reproduce

npm init
npm install --save gatsby-source-contentful

Expected result

The package shouldn't contain anything above medium severity vulnerabilities.

Actual result

npm audit and npm audit fix leave 5 high severity vulnerabilities, all are related to utils-extend which hasn't been updated in more than 5 years

Environment

Empty project, and currently ongoing projects leave the same warnings.

[axe312ger]

@vladar as far as I remember we as plugin maintainers should not touch the yarn.lock in PRs.

How should be proceed?

[vladar]

I think you can touch yarn.lock. It is just for monorepo (tests, local development, publishing, etc). When someone installs contentful plugin, yarn.lock of the monorepo is not used in any way.

So you can update the dependency in package.json of the plugin and run yarn in the monorepo root to update yarn.lock.

Check this PR for example: #24788

[axe312ger]

@vladar 🆗

[axe312ger]

Okay I check this in detail. https://www.npmjs.com/package/base64-img wasn't updated for a while and the way we implement it, we do a request to Contentful every time we need a base64 version of an image.

I guess we should do the following:

• Remove base64-img, gatsby-source-contentful is the only core package using it
• Download the image via createRemoteFileNode. Or direct download & cache them in a separate folder. We won't need them in GraphQL.
• Read the file via await fs.readFile('/path/to/file.jpg', {encoding: 'base64'});

This should:

• Get rid of the mentioned security vulnerabilities
• Replace an old package with node/core functionallity
• May reduce the build time when doing recurring builds

[axe312ger]

Related: #24220

[gp1234]

Will this vulnerability can have any impact on a production gatsby site?

[axe312ger]

No as the code won't be executed at all in a production environment :)

[axe312ger]

This will be fixed in the next major version as it requires potentially breaking refactoring to get rid of these dependencies.

See #25249

[MikeyUchiha]

@axe312ger I just wanted to follow up on this i installed the latest next package and I'm still getting the vulnerability error.

[axe312ger]

@MikeyUchiha sorry, there is no fix implemented yet in that version. We probably have to postone it further except somebody picks it up.

We still need to change the base64 behavior as mentioned in #24679 (comment) to get rid of all security issues

[axe312ger]

There is a ticket for changing the base64 behaviour: #24220

[MikeyUchiha]

@axe312ger Thank you for the update!

[LekoArts]

As #25249 was merged and released I'll close this one.

[axe312ger]

@LekoArts are you sure the vulnerabilites are fixed? I didn't update the related packages in that branch (at least on purpose)

[LekoArts]

Sorry, I read it as it'd be fixed.

[pranitcode]

How can I solve this problem

C:\Users\Hp\Desktop\gatsby-bootcamp>npm install gatsby-source-contentful

added 33 packages, and audited 2422 packages in 27s

53 packages are looking for funding
run npm fund for details

6 high severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.

Run npm audit for details.

[axe312ger]

@pranitcode follow the funding instructions and send money 🙃

[pranitcode]

Seriously🙁 😂

[axe312ger]

@pranitcode sorry for that joke.

But I have trouble understanding your problem. As mentioned above, the security vulnerabilities do not apply to the plugin.

We will fix these, but with low priority.

You are also welcome to contribute to Gatsby and help us getting rid of these dependencies as mentioned in #24679 (comment)

[axe312ger]

(Low priority might be pretty soon, lets see)