-
Notifications
You must be signed in to change notification settings - Fork 10.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Decompress security warning means gatsby-plugin-sharp and gatsby-source-contentful fail audit #21791
Comments
Thanks for the notice! Unfortunately there is not much we can do in gatsby directly to address it yet as
There is open pull request in So please watch that pull request, once this is handled there and published, then it will be matter of updating this package in your lock files as |
Also encountering this issue:
|
Yeah, I'm receiving the Arbitrary File Write vulnerability in my npm audit as well. Is there a patch scheduled for that separately, or is related to the path traversal mentioned earlier in this bug thread? |
The path traversal fix is for the decompress-tar package which is used by decompress and it is the cause of this issue. After fixing the decompress-tar, the decompress package should be updated to use the fixed decompress-tar package. That would solve issue. |
* switch client to yarn * fixes peer dependencies in client * temp disable yarn audit until gatsbyjs/gatsby#21791
@pieh That project looks abandoned. Is there another package that can be used in its place? Also, is |
@vladar Sorry, this is mostly for my own understanding, but how is this related to the error that I had? I hadn't installed either of these plugins. |
Possibly. All of those affected deps of deps are for minimizing images.
The Btw. Those audit advisories provide lot of worry, but you do have to inspect them and affected packages to see if you are really affected or not. And there is lot of nuance in those matter that those advisories do not explain |
So what should we do as Gatsby users? I'm kinda worried about this vulnerability. |
I was able to workaround this by installing WSL (Windows Subsystem Linux) and Ubuntu on a freshly formatted hard drive (i'm not sure if this was necessary; it might work by just removing existing node modules). I then installed nvm by cURL. I'm guessing that by installing npm through linux I was able to avoid the problems with decompress. TBH, I don't really know why this worked for me, but I am now running gatsby-source-filesystem without reciveing the security warnings. It also doesn't crash my project when I run Gatsby develop, which is a big plus. I'll post back if anything changes. |
It is really hard to sell Gatsby to the rest of the dev team with this |
this error is now happening in all our gatsby projects, has anyone found a workaround yet? |
We are waiting for few more days for response of |
@pieh thanks for the answer. An issue reporting this was created by @medikoo two weeks ago in kevva/download#189 and another by @simotae14 in kevva/decompress#76, and we've had no response from maintainers so far. The last commit on So, how long do you think we could wait longer for an answer to replace usage of |
kind petition to replace usage of |
There is a joint effort by the community to address this vulnerability directly in decompress (see kevva/decompress#73) and related repositories. I believe they are waiting for a timely response from the maintainers to make the decision to fork the project 😄 |
Want to see if there are any updates on this? |
@byebyers I was taking a look to kevva/decompress#73 and noticed that the repo maintainer has not yet responded on the pull request 😢 |
Thank you for checking 😄 |
I have just gone though all the forks and one is getting updated with security patches. Atomic-Reactor/decompress. It may be worth having a quick look. |
The latest version of decompress should resolve this issue. The NPM advisory has been updated as well: https://www.npmjs.com/advisories/1217 I'll try to create the PR (it will be my first one here) |
I think now, however, that this dependency would be updated automatically. So no need to make it manually |
Lock files might pin decompress version so you might need to update those in your projects:
I will be updating starters that we maintain today, so |
There is an NPM high severity warning for kevva/decompress which means
yarn audit
fails when using gatsby-plugin-sharp and gatsby-source-contentful plugins.See: https://www.npmjs.com/advisories/1217
Issue here: kevva/decompress#71
The text was updated successfully, but these errors were encountered: