[email protected] includes multer as a direct dependency #39304
Description
Preliminary Checks
- This issue is not a duplicate. Before opening a new issue, please search existing issues: https://github.com/gatsbyjs/gatsby/issues
- This issue is not a question, feature request, RFC, or anything other than a bug report directly related to Gatsby. Please post those things in GitHub Discussions: https://github.com/gatsbyjs/gatsby/discussions
Description
While using [email protected], npm explain multer shows that Gatsby directly depends on [email protected], which is vulnerable (GHSA-whgm-jr23-g3j9).
I’m not using any file-upload functionality, and there’s no plugin pulling it in — it appears to come straight from Gatsby core.
Can this be removed or made optional?
Thanks for all your work on Gatsby
Reproduction Link
https://github.com/gatsbyjs/gatsby-starter-minimal
Steps to Reproduce
- Run
npm install [email protected] - Run
npm explain multer - See that
[email protected]is included directly by Gatsby
Expected Result
Gatsby should not include multer directly, as it is not needed for typical usage and brings in a high-severity vulnerability.
Actual Result
[email protected] includes [email protected] as a direct dependency, even though it's not required by any plugin or used in the project. This triggers a Dependabot alert for a known DoS vulnerability (GHSA-whgm-jr23-g3j9).
Environment
npx gatsby info --clipboardConfig Flags
No response