Skip to content

Resolve critical and high npm audit vulnerabilities — including @babel/traverse arbitrary code execution #222

Description

@ooloth

Why

The dependency tree contains a known arbitrary-code-execution vulnerability in @babel/traverse < 7.23.2 (CVSS 9.3) that fires during compilation, meaning a malicious or compromised package in the build graph could execute code on any machine running npm install or gatsby build.

Current state

npm audit reports 33 critical and 113 high CVEs in package.json's dependency tree. The most severe is @babel/traverse < 7.23.2 (CVE-2023-45133, CVSS 9.3), which allows arbitrary code execution during Babel compilation. The vulnerability exists because the package is pulled in transitively by Gatsby and its plugins rather than being a direct dependency.

Ideal state

  • npm audit reports zero critical and zero high vulnerabilities.
  • @babel/traverse resolves to >= 7.23.2 across the entire install.
  • The fix is achieved through a combination of direct dependency upgrades, npm audit fix, and — where upgrades are not yet available — overrides entries in package.json that pin the safe version of the affected transitive package.

Out of scope

  • Resolving moderate or low severity advisories (worthwhile but separate).
  • Migrating to a different package manager (yarn, pnpm).

Starting points

  • package.json — direct dependencies and any existing overrides field.
  • package-lock.json — to trace which packages pull in the vulnerable @babel/traverse versions.
  • npm docs: overrides — the mechanism for forcing a safe transitive version.

QA plan

  1. Run npm audit before making any changes and record the critical/high counts.
  2. Apply upgrades or overrides targeting the @babel/traverse advisory first.
  3. Run npm install and then npm audit again — confirm the critical count drops.
  4. Run gatsby build — confirm the build completes without errors.
  5. Run gatsby serve and manually verify the site renders correctly in a browser.
  6. Repeat steps 2–5 for remaining critical/high advisories until npm audit reports zero critical and zero high.

Done when

npm audit exits with zero critical and zero high severity vulnerabilities and gatsby build still completes successfully.

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions