CVE-2021-23337 Command Injection in lodash

[benomatis]

Preliminary Checks

• This issue is not a duplicate. Before opening a new issue, please search existing issues: https://github.com/gatsbyjs/gatsby/issues
• This issue is not a question, feature request, RFC, or anything other than a bug report directly related to Gatsby. Please post those things in GitHub Discussions: https://github.com/gatsbyjs/gatsby/discussions

Description

A dependency of gatsby-plugin-offline, namely workbox-build has a dependency called lodash.template that has a vulnerability reported: GHSA-35jh-r3h4-6jhm

I logged a bug with Google workbook to no avail: GoogleChrome/workbox#3322

Here is a discussion that explains why lodash cannot fix this: lodash/lodash#5851

What could be done to fix this in gatsby?

Reproduction Link

N/A

Steps to Reproduce

This is the result of a GitHub dependabot alert

Expected Result

clear dependabot alert list

Actual Result

dependabot alert

Environment

System:
    OS: macOS 14.5
    CPU: (12) arm64 Apple M2 Pro
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 18.12.1 - ~/.nvm/versions/node/v18.12.1/bin/node
    Yarn: 1.22.19 - ~/.yarn/bin/yarn
    npm: 9.6.2 - ~/.nvm/versions/node/v18.12.1/bin/npm
  Browsers:
    Chrome: 125.0.6422.142
    Edge: 125.0.2535.92
    Safari: 17.5
  npmGlobalPackages:
    gatsby-cli: 5.11.0

Config Flags

No response

[daniel-stoian-lgp]

I have the same issue, gatsby-plugin-offline needs to update its workbox-build version