Skip to content
This repository has been archived by the owner on Dec 8, 2021. It is now read-only.

Vulnerability in js-yaml dependency #476

Open
janheinrichmerker opened this issue Apr 18, 2019 · 3 comments
Open

Vulnerability in js-yaml dependency #476

janheinrichmerker opened this issue Apr 18, 2019 · 3 comments

Comments

@janheinrichmerker
Copy link

Description

The js-yaml dependency in graphqlgen's package.json is reported to be a vulnerability.
See https://www.npmjs.com/advisories/813.

Steps to reproduce

  1. Create a blank project.
  2. npm install --save graphqlgen
  3. npm audit

Expected results

npm audit reports no vulnerabilities.

Actual results

npm audit reports a high severity vulnerability:

  High            Code Injection                                                
                                                                                
  Package         js-yaml                                                       
                                                                                
  Patched in      >=3.13.1                                                      
                                                                                
  Dependency of   graphqlgen [dev]                                              
                                                                                
  Path            graphqlgen > js-yaml                                          
                                                                                
  More info       https://npmjs.com/advisories/813 

Versions

  • graphqlgen: 0.5.1
  • OS name and version: Windows 10
@janheinrichmerker
Copy link
Author

I would recommend to simply update the js-yaml dependency.
Also using ^ when declaring dependencies can often avoid such kind of bug, as the patch in the dependency's repo could automatically be loaded, without making changes to graphqlgen.

@janheinrichmerker
Copy link
Author

Another moderate vulnerability is reported, also caused by js-yaml:
https://www.npmjs.com/advisories/788

@rfdc
Copy link

rfdc commented Jul 31, 2019

I also have this high vulnerability plus 67 vulnerabilities (63 low, 3 moderate, 1 high). But they are all dev packages, just us graphqlgen and Jest which I believe when it is built, the final product wont use this packages w/ vulnerabilities.

What do you think? Is that right?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants