Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

High severity Dependabot alert in the Gatsby dependency 'path-to-regexp' #39088

Closed
2 tasks done
justinclift opened this issue Sep 18, 2024 · 7 comments · Fixed by #39154
Closed
2 tasks done

High severity Dependabot alert in the Gatsby dependency 'path-to-regexp' #39088

justinclift opened this issue Sep 18, 2024 · 7 comments · Fixed by #39154
Assignees
@serhalp
Labels
dependencies Pull requests that update a dependency file status: accepted type: bug An issue or pull request relating to a bug in Gatsby

Comments

@justinclift
Copy link

justinclift commented Sep 18, 2024
edited
Loading

Preliminary Checks

Description

Gatsby presently has a requirement on path-to-regexp 0.1.7, which GitHub Dependabot has started issuing High severity security alerts for:

Screenshot 2024-09-18 at 3 21 32 PM

Hopefully a new point release of Gatsby 5.13.x can be created to resolve this problem. 😄

Further info:

Reproduction Link

n/a

Steps to Reproduce

n/a

Expected Result

To have a Gatsby release available without security vulnerabilities in its dependency chain. 😄

Actual Result

Gatsby 5.13.7 presently uses dependencies with reported security vulnerabilities. 😦

Environment

n/a

Config Flags

n/a
@justinclift justinclift added the type: bug An issue or pull request relating to a bug in Gatsby label Sep 18, 2024
@gatsbot gatsbot bot added the status: triage needed Issue or pull request that need to be triaged and assigned to a reviewer label Sep 18, 2024
@wraithgar

This comment has been minimized.

Sign in to view
@justinclift
Copy link
Author

Ugh, that's not a good sign. 😦

Thanks for the info @wraithgar. 😄

@wraithgar
Copy link

wraithgar commented Sep 23, 2024
edited
Loading

Looks like dependabot PRs are flowing once again which is a good sign!

@serhalp
Copy link
Contributor

serhalp commented Sep 23, 2024

Hi @justinclift. Thanks for reporting. We're working through bumping outdated dependencies with security alerts as we speak! We should have a release out later this week.

@serhalp serhalp added status: accepted dependencies Pull requests that update a dependency file and removed status: triage needed Issue or pull request that need to be triaged and assigned to a reviewer labels Sep 23, 2024
@serhalp serhalp self-assigned this Sep 23, 2024
@justinclift
Copy link
Author

Awesome, thanks for the heads up @serhalp. 😄

@justinclift
Copy link
Author

justinclift commented Sep 24, 2024
edited
Loading

No PR for webpack-dev-middleware yet.

Well spotted. 😄

Yeah hopefully the upcoming release fixes all of the outstanding security dependencies. That seems to be a tricky ongoing process these days as larger projects commonly have an ocean of dependencies. 😱

@kruplm
Copy link

kruplm commented Oct 11, 2024

Looks like dependabot PRs are flowing once again which is a good sign!

Hi,
2 of 3 dependency updates are yet to be merged.
When are you planning to release a new version that upgrades these dependencies?

@serhalp serhalp linked a pull request Nov 6, 2024 that will close this issue
chore(docs): Release Notes for 5.14 #39154
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@serhalp serhalp

Labels
dependencies Pull requests that update a dependency file status: accepted type: bug An issue or pull request relating to a bug in Gatsby
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore(docs): Release Notes for 5.14 gatsbyjs/gatsby
4 participants
@wraithgar @justinclift @serhalp @kruplm