prisma-labs/graphqlgen

Vulnerability in js-yaml dependency

janheinrichmerker opened this issue · 3 comments

Description

The js-yaml dependency in graphqlgen's package.json is reported to be a vulnerability.
See https://www.npmjs.com/advisories/813.

Steps to reproduce

  1. Create a blank project.
  2. npm install --save graphqlgen
  3. npm audit

Expected results

npm audit reports no vulnerabilities.

Actual results

npm audit reports a high severity vulnerability:

  High            Code Injection                                                
                                                                                
  Package         js-yaml                                                       
                                                                                
  Patched in      >=3.13.1                                                      
                                                                                
  Dependency of   graphqlgen [dev]                                              
                                                                                
  Path            graphqlgen > js-yaml                                          
                                                                                
  More info       https://npmjs.com/advisories/813 

Versions

  • graphqlgen: 0.5.1
  • OS name and version: Windows 10

I would recommend to simply update the js-yaml dependency.
Also using ^ when declaring dependencies can often avoid such kind of bug, as the patch in the dependency's repo could automatically be loaded, without making changes to graphqlgen.

Another moderate vulnerability is reported, also caused by js-yaml:
https://www.npmjs.com/advisories/788

rfdc commented

I also have this high vulnerability plus 67 vulnerabilities (63 low, 3 moderate, 1 high). But they are all dev packages, just us graphqlgen and Jest which I believe when it is built, the final product wont use this packages w/ vulnerabilities.

What do you think? Is that right?