Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update graphiql dependency #1367

Open
1 of 7 tasks
SimenB opened this issue Feb 8, 2022 · 0 comments
Open
1 of 7 tasks

Update graphiql dependency #1367

SimenB opened this issue Feb 8, 2022 · 0 comments

Comments

@SimenB
Copy link

SimenB commented Feb 8, 2022

This issue pertains to the following package(s):

  • GraphQL Playground - Electron App
  • GraphQL Playground HTML
  • GraphQL Playground
  • GraphQL Playground Express Middleware
  • GraphQL Playground Hapi Middleware
  • GraphQL Playground Koa Middleware
  • GraphQL Playground Lambda Middleware

What OS and OS version are you experiencing the issue(s) on?

N/A

What version of graphql-playground(-electron/-middleware) are you experiencing the issue(s) on?

1.7.28

What is the expected behavior?

There should be no security warnings from GitHub/npm.

What is the actual behavior?

graphiql@0.17.5 has the following advisory: GHSA-x4r7-m2q9-69c8.

It also pulls in a version of markdown-it with GHSA-6vfc-qv3f-vr6c

Additionally, the version this module depends on of isomorphic-fetch pulls in a node-fetch with GHSA-r683-j2x4-v87g & GHSA-w7rc-rwvf-8q5r

What steps may we take to reproduce the behavior?

npm install graphql-playground-react && npm audit

Please provide a gif or image of the issue for a quicker response/fix.

# npm audit report

graphiql  0.5.0 - 1.4.7-canary-85a66743.0
Severity: high
GraphiQL introspection schema template injection attack - https://github.com/advisories/GHSA-x4r7-m2q9-69c8
Depends on vulnerable versions of markdown-it
No fix available
node_modules/graphiql
  graphql-playground-react  *
  Depends on vulnerable versions of graphiql
  node_modules/graphql-playground-react

markdown-it  <12.3.2
Severity: moderate
Uncontrolled Resource Consumption in markdown-it - https://github.com/advisories/GHSA-6vfc-qv3f-vr6c
No fix available
node_modules/graphiql/node_modules/markdown-it
  graphiql  0.5.0 - 1.4.7-canary-85a66743.0
  Depends on vulnerable versions of markdown-it
  node_modules/graphiql
    graphql-playground-react  *
    Depends on vulnerable versions of graphiql
    node_modules/graphql-playground-react

node-fetch  <=2.6.6
Severity: high
The `size` option isn't honored after following a redirect in node-fetch - https://github.com/advisories/GHSA-w7rc-rwvf-8q5r
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor - https://github.com/advisories/GHSA-r683-j2x4-v87g
fix available via `npm audit fix`
node_modules/isomorphic-fetch/node_modules/node-fetch
  isomorphic-fetch  2.0.0 - 2.2.1
  Depends on vulnerable versions of node-fetch
  node_modules/isomorphic-fetch
    fbjs  0.7.0 - 1.0.0
    Depends on vulnerable versions of isomorphic-fetch
    node_modules/fbjs
      react  0.15.0-alpha.1 - 16.4.2
      Depends on vulnerable versions of fbjs
      node_modules/react
        react-dom  0.15.0-alpha.1 - 16.4.2
        Depends on vulnerable versions of fbjs
        Depends on vulnerable versions of react
        node_modules/react-dom
          react-codemirror  >=1.0.0
          Depends on vulnerable versions of react-dom
          node_modules/react-codemirror

9 vulnerabilities (5 low, 1 moderate, 3 high)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@SimenB