Using webpack-dev-middleware results with npm audit high vulnerability

[sebastian-kopiczko]

Preliminary Checks

• This issue is not a duplicate. Before opening a new issue, please search existing issues: https://github.com/gatsbyjs/gatsby/issues
• This issue is not a question, feature request, RFC, or anything other than a bug report directly related to Gatsby. Please post those things in GitHub Discussions: https://github.com/gatsbyjs/gatsby/discussions

Description

Hi folks!

There is a webpack-dev-middleware usage in packages/gatsby/src/utils/start-server.ts which results with a high severity npm audit issue.

Version ^4.3.0 has some reported vulnerabilities, which were fixed in patched versions here

What is the ETA of updating the mentioned package?

Reproduction Link

gatsby/packages/gatsby/package.json

Line 174 in 5723972

"webpack-dev-middleware": "^4.3.0",

Steps to Reproduce

Run npm audit on a fresh Gatsby project.

Expected Result

No high severity vulnerabilities found. webpack-dev-middleware should be bumped to v. 5.3.4 at least

Actual Result

A high severity vulnerability was found.

Environment

System:
    OS: macOS 14.4.1
    CPU: (8) arm64 Apple M1 Pro
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 18.12.1 - ~/.nvm/versions/node/v18.12.1/bin/node
    Yarn: 1.22.19 - /usr/local/bin/yarn
    npm: 8.19.2 - ~/.nvm/versions/node/v18.12.1/bin/npm
  Browsers:
    Chrome: 123.0.6312.106
    Edge: 123.0.2420.65
    Firefox: 123.0.1
    Safari: 17.4.1
  npmPackages:
    gatsby: ^5.13.3 => 5.13.3

Config Flags

No response