fix(security): Use latest graphql-voyager package to remove legacy node-fetch dep #19255
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hey, I just made a Pull Request!
The repo identifies it is exposed to a
node-fetch
high vulnerability due to a very old version. This is through a transitive dependency in the GraphQL Voyager plugin, and the vulnerability which was previously patched was reintroduced when that plugin was added.The plugin uses an npm package of
graphql-voyager
which was in an early release candidate mode. So I removed that identification in the yarn lock, and let Yarn pick up a newer version of that dep which includes some bumped transitive deps to patch this issue again.It seems to remove very old version of MaterialUI Core v3, as well.
Removed -->
✔️ Checklist
Signed-off-by
line in the message. (more info)