Vulnerable Package Dependency: minimatch

[pamo]

Ran snyk on my blog and found a vulnerable dependency in Gatsby.

Regular Expression Denial of Service

Snyk Details

Introduced through: likescoffee@pamo/pamo.github.io#384dbb3717fb6bf07c2f693dc5b0ad8eac19893a › [email protected] › [email protected] › [email protected] › [email protected] › [email protected] › [email protected] › [email protected] › [email protected]

[pamo]

Seems like it would be on the contributors of postcss-import to update 😞

[KyleAMathews]

Hey @pamo — thanks for raising this issue. This shouldn't be a problem though for your blog or Gatsby sites in general as minimatch code is only run by Gatsby while developing so safely protected from any malicious actors. I don't recommend exposing a Gatsby development server to the public generally speaking. This is one of the great things about static sites is that they're just files, so not an attack vector.

And yes — postcss-import would need to apply the update for this.