New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
apollo-server-env
is dependent on a version of node-fetch
with a security vulnerability
#6065
Comments
That npm audit seems to be imprecise. The fix has also been backported to 2.6.7 (and we can't really take the major upgrade as v2 -> v3 drops support to use it in a build context that isn't ES Module-native), and as you can see above the latest version of Apollo Server does require 2.6.7. Note that this particular vulnerability is unlikely to affect any use cases in Apollo Server anyway, and there are workarounds to allow you to use your favorite version of node-fetch or any other implementation of the fetch API. See https://github.com/apollographql/apollo-server/blob/main/CHANGELOG.md#v362 for details. |
For what it's worth, I can't reproduce this. Maybe the advisory has fixed with the appropriate versions already?
Going to the linked GHSA-r683-j2x4-v87g shows correctly that 2.6.7 is OK. I see that your npm audit is linking to huntr.dev rather than the GH advisories. Have you somehow configured npm audit to use some other source of advisories? |
I'm actually dependent on apollo-server-core which then depends on this and |
Ok so I'm trying to dig into this more and I am still seeing the issue. I am following your steps here and I'm realizing you're installing package.json version
node versions
So then I tried to run npm i node-fetch@3.2.0
npm audit fix But this of course does not update the node-fetch dependency for apollo-server-env because it is cannot match that major version upgrade.
So the confusion here comes from my But then the solutions seem to be:
|
Here is the security patch release: https://github.com/node-fetch/node-fetch/releases/tag/v3.1.1 |
In their actual fix they have this comment:
So that seems to confirm point |
The actual advisory I linked above makes it clear that the fix is in both 3.1.1 and 2.6.7. You must have your npm audit configured to talk to some other advisory source whose metadata is imprecise. In any case there's no actual security issue here -- the issue only occurs if you use node-fetch to talk to an URL that will redirect to an attacker controlled URL, and we don't do that in Apollo Server (unless you do that in a server that you use apollo-datasource-rest to talk to). Open redirectors are generally considered to be a bad idea anyway. |
Ok, I think I'm catching up now. Thank you for your patience. We are indeed using on-prem github and an on-prem artifactory which works as a proxy/cache for public npm. I don't know how the audit is working exactly (or not as the case may be). Anyway, not your problem sorry for the noise! |
It seems like you just need to update to a newer version of node-fetch
3.1.1
or greater (3.2.0
is latest currently)The text was updated successfully, but these errors were encountered: