Why
The dependency tree contains a known arbitrary-code-execution vulnerability in @babel/traverse < 7.23.2 (CVSS 9.3) that fires during compilation, meaning a malicious or compromised package in the build graph could execute code on any machine running npm install or gatsby build.
Current state
npm audit reports 33 critical and 113 high CVEs in package.json's dependency tree. The most severe is @babel/traverse < 7.23.2 (CVE-2023-45133, CVSS 9.3), which allows arbitrary code execution during Babel compilation. The vulnerability exists because the package is pulled in transitively by Gatsby and its plugins rather than being a direct dependency.
Ideal state
npm audit reports zero critical and zero high vulnerabilities.
@babel/traverse resolves to >= 7.23.2 across the entire install.
- The fix is achieved through a combination of direct dependency upgrades,
npm audit fix, and — where upgrades are not yet available — overrides entries in package.json that pin the safe version of the affected transitive package.
Out of scope
- Resolving moderate or low severity advisories (worthwhile but separate).
- Migrating to a different package manager (yarn, pnpm).
Starting points
package.json — direct dependencies and any existing overrides field.
package-lock.json — to trace which packages pull in the vulnerable @babel/traverse versions.
- npm docs: overrides — the mechanism for forcing a safe transitive version.
QA plan
- Run
npm audit before making any changes and record the critical/high counts.
- Apply upgrades or overrides targeting the
@babel/traverse advisory first.
- Run
npm install and then npm audit again — confirm the critical count drops.
- Run
gatsby build — confirm the build completes without errors.
- Run
gatsby serve and manually verify the site renders correctly in a browser.
- Repeat steps 2–5 for remaining critical/high advisories until
npm audit reports zero critical and zero high.
Done when
npm audit exits with zero critical and zero high severity vulnerabilities and gatsby build still completes successfully.
Why
The dependency tree contains a known arbitrary-code-execution vulnerability in
@babel/traverse < 7.23.2(CVSS 9.3) that fires during compilation, meaning a malicious or compromised package in the build graph could execute code on any machine runningnpm installorgatsby build.Current state
npm auditreports 33 critical and 113 high CVEs inpackage.json's dependency tree. The most severe is@babel/traverse < 7.23.2(CVE-2023-45133, CVSS 9.3), which allows arbitrary code execution during Babel compilation. The vulnerability exists because the package is pulled in transitively by Gatsby and its plugins rather than being a direct dependency.Ideal state
npm auditreports zero critical and zero high vulnerabilities.@babel/traverseresolves to>= 7.23.2across the entire install.npm audit fix, and — where upgrades are not yet available —overridesentries inpackage.jsonthat pin the safe version of the affected transitive package.Out of scope
Starting points
package.json— direct dependencies and any existingoverridesfield.package-lock.json— to trace which packages pull in the vulnerable@babel/traverseversions.QA plan
npm auditbefore making any changes and record the critical/high counts.@babel/traverseadvisory first.npm installand thennpm auditagain — confirm the critical count drops.gatsby build— confirm the build completes without errors.gatsby serveand manually verify the site renders correctly in a browser.npm auditreports zero critical and zero high.Done when
npm auditexits with zero critical and zero high severity vulnerabilities andgatsby buildstill completes successfully.