socket.io and engine.io dependencies still include vulnerable versions of cookie and path-to-regexp

[kelseyn12]

Preliminary Checks

• This issue is not a duplicate. Before opening a new issue, please search existing issues: https://github.com/gatsbyjs/gatsby/issues
• This issue is not a question, feature request, RFC, or anything other than a bug report directly related to Gatsby. Please post those things in GitHub Discussions: https://github.com/gatsbyjs/gatsby/discussions

Description

While using Gatsby v5.14.3, npm audit still reports the following vulnerabilities:

cookie < 0.7.0: GHSA-pxg6-pf52-xh8x

path-to-regexp < 0.1.12: GHSA-rhx6-c78j-4q9w

These are coming from socket.io > engine.io, both used as part of Gatsby’s development server stack.

Would love to see these bumped or replaced in a future release to clean up audits and reduce noise in Dependabot PRs.

Thanks for all your hard work! Gatsby is awesome!

Reproduction Link

https://github.com/gatsbyjs/gatsby-starter-hello-world

Steps to Reproduce

1. Clone the starter repo above and install dependencies using npm install.
2. Run npm audit.
3. Review vulnerabilities listed under gatsby → socket.io and engine.io.

Expected Result

No known high or moderate vulnerabilities in default Gatsby dependency tree.

Actual Result

npm audit reports high and moderate vulnerabilities caused by outdated versions of cookie and path-to-regexp inside Gatsby's dev dependencies (socket.io and engine.io).

Environment

gatsby info --clipboard

Config Flags

No custom flags used.