Insecure Default Configuration in graphql-code-generator
High severity
GitHub Reviewed
Published
Sep 2, 2020
to the GitHub Advisory Database
•
Updated Jan 9, 2023
Description
Reviewed
Aug 31, 2020
Published to the GitHub Advisory Database
Sep 2, 2020
Last updated
Jan 9, 2023
Versions of
graphql-code-generator
prior to 0.18.2 have an Insecure Default Configuration. The packages setsNODE_TLS_REJECT_UNAUTHORIZED
to 0, disabling certificate verification for the entire project. This results in Insecure Communication for the process.Recommendation
Upgrade to version 0.18.2 or later.
References