gatsby: Decompress security warning means gatsby-plugin-sharp and gatsby-source-contentful fail audit

kind petition to replace usage of decompress Who’s with me?

We are waiting for few more days for response of decompress maintainers and if there won’t be any, we will likely fork imagemin-x packages and replace usage of decompress there

So what should we do as Gatsby users? I’m kinda worried about this vulnerability.

It is really hard to sell Gatsby to the rest of the dev team with this npm audit warnings.

@pieh That project looks abandoned. Is there another package that can be used in its place? Also, is gatsby-plugin-sharp a devDependency since it’s only used in the build, or should I be worried about my production site having this vulnerability?

The latest version of decompress should resolve this issue. The NPM advisory has been updated as well: https://www.npmjs.com/advisories/1217

I’ll try to create the PR (it will be my first one here)

Thanks for the notice!

Unfortunately there is not much we can do in gatsby directly to address it yet as decompress is dependency of dependency type scenario:

gatsby-plugin-sharp#imagemin-mozjpeg#mozjpeg#bin-build#decompress
gatsby-plugin-sharp#imagemin-mozjpeg#mozjpeg#bin-build#download#decompress
gatsby-plugin-sharp#imagemin-mozjpeg#mozjpeg#bin-wrapper#download#decompress

There is open pull request in decompress repository to address the vulnerability: https://github.com/kevva/decompress/pull/73

So please watch that pull request, once this is handled there and published, then it will be matter of updating this package in your lock files as bin-build package already allow range version in dependencies: ("decompress": "^4.0.0" - via https://unpkg.com/browse/bin-build@3.0.0/package.json)

I have just gone though all the forks and one is getting updated with security patches. Atomic-Reactor/decompress. It may be worth having a quick look.

I think now, however, that this dependency would be updated automatically. So no need to make it manually

Lock files might pin decompress version so you might need to update those in your projects:

• npm: You can use npm audit fix which should take care of it automatically. Alternatively you can run npm audit again, and it should provide you with commands like npm update decompress --depth 8 (but depth might vary depending on your setup (i.e. do you use gatsby-plugin-sharp directly or use plugins/themes that use under the hood)
• yarn: yarn doesn’t really have nice option to bump indirect/transitive dependencies ( https://github.com/yarnpkg/yarn/issues/4986 ), but you can do something like yarn remove gatsby-plugin-sharp && yarn add gatsby-plugin-sharp (again you might need to remove and re-add more packages if those depend on gatsby-plugin-sharp). You might also try just deleting yarn.lock and yarn install to regenerate it (just keep it mind it will unpin any other unrelated deps and it might cause weird problems, so if you do this, make sure you do some manual Q/A if everything works as expected on your site if you don’t have some automated testing)

I will be updating starters that we maintain today, so gatsby new (when using one of those) will just start with this taken care of.

Thank you for checking 😄

There is a joint effort by the community to address this vulnerability directly in decompress (see https://github.com/kevva/decompress/pull/73) and related repositories. I believe they are waiting for a timely response from the maintainers to make the decision to fork the project 😄

this error is now happening in all our gatsby projects, has anyone found a workaround yet?

The path traversal fix is for the decompress-tar package which is used by decompress and it is the cause of this issue. After fixing the decompress-tar, the decompress package should be updated to use the fixed decompress-tar package. That would solve issue. I do not know when a patch will be scheduled. I made the PR to speed things up.