Description
Preliminary Checks
- This issue is not a duplicate. Before opening a new issue, please search existing issues: https://github.com/gatsbyjs/gatsby/issues
- This issue is not a question, feature request, RFC, or anything other than a bug report directly related to Gatsby. Please post those things in GitHub Discussions: https://github.com/gatsbyjs/gatsby/discussions
Description
While using Gatsby v5.14.3, npm audit still reports the following vulnerabilities:
cookie < 0.7.0: GHSA-pxg6-pf52-xh8x
path-to-regexp < 0.1.12: GHSA-rhx6-c78j-4q9w
These are coming from socket.io > engine.io, both used as part of Gatsby’s development server stack.
Would love to see these bumped or replaced in a future release to clean up audits and reduce noise in Dependabot PRs.
Thanks for all your hard work! Gatsby is awesome!
Reproduction Link
https://github.com/gatsbyjs/gatsby-starter-hello-world
Steps to Reproduce
- Clone the starter repo above and install dependencies using
npm install. - Run
npm audit. - Review vulnerabilities listed under
gatsby→socket.ioandengine.io.
Expected Result
No known high or moderate vulnerabilities in default Gatsby dependency tree.
Actual Result
npm audit reports high and moderate vulnerabilities caused by outdated versions of cookie and path-to-regexp inside Gatsby's dev dependencies (socket.io and engine.io).
Environment
gatsby info --clipboardConfig Flags
No custom flags used.