Vulnerability in js-yaml dependency
janheinrichmerker opened this issue · 3 comments
Description
The js-yaml
dependency in graphqlgen
's package.json
is reported to be a vulnerability.
See https://www.npmjs.com/advisories/813.
Steps to reproduce
- Create a blank project.
npm install --save graphqlgen
npm audit
Expected results
npm audit
reports no vulnerabilities.
Actual results
npm audit
reports a high severity vulnerability:
High Code Injection
Package js-yaml
Patched in >=3.13.1
Dependency of graphqlgen [dev]
Path graphqlgen > js-yaml
More info https://npmjs.com/advisories/813
Versions
- graphqlgen: 0.5.1
- OS name and version: Windows 10
I would recommend to simply update the js-yaml
dependency.
Also using ^
when declaring dependencies can often avoid such kind of bug, as the patch in the dependency's repo could automatically be loaded, without making changes to graphqlgen
.
Another moderate vulnerability is reported, also caused by js-yaml
:
https://www.npmjs.com/advisories/788
I also have this high vulnerability plus 67 vulnerabilities (63 low, 3 moderate, 1 high). But they are all dev packages, just us graphqlgen and Jest which I believe when it is built, the final product wont use this packages w/ vulnerabilities.
What do you think? Is that right?