Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

High severity lodash vulnerability #2380

Closed
davetapley opened this issue Aug 15, 2019 · 1 comment
Closed

High severity lodash vulnerability #2380

davetapley opened this issue Aug 15, 2019 · 1 comment
Labels
core Related to codegen core/cli

Comments

@davetapley
Copy link 

$ npm audit
                                                                                
                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.12                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ graphql-codegen-add [dev]                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ graphql-codegen-add > graphql-codegen-core > graphql-toolkit │
│               │ > lodash                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1065                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

This advisory is fixed downstream in graphql-toolkit here.
But we are pinned to a version without the fix:

graphql-code-generator/packages/graphql-codegen-core/package.json

Line 43 in b30e190

"graphql-toolkit": "0.5.8",

I propose that ⬆️ is relaxed to allow npm audit fix to resolve this.
@dotansimha
Copy link
Owner

dotansimha commented Aug 16, 2019
edited

Thanks @dukedave, the fix in graphql-toolkit was in Jul 9, and since than we released multiple version.
Running yarn why suggest that graphql-toolkit brings the following:

=> Found "graphql-toolkit#lodash@4.17.15"
info This module exists because "_project_#@graphql-codegen#cli#graphql-toolkit" depends on it.
info Disk size without dependencies: "4.86MB"
info Disk size with unique dependencies: "4.86MB"
info Disk size with transitive dependencies: "4.86MB"
info Number of shared dependencies: 0

Which includes the latest fix.
I suggest to update to the latest version of the codegen.

Thanks!

@dotansimha dotansimha added the core Related to codegen core/cli label Aug 16, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
core Related to codegen core/cli
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@davetapley @dotansimha