openapi-to-graphql openapi-to-graphql uses outdated package "graphql-upload" which uses vulnerable package "dicer"

openapi-to-graphql uses outdated package "graphql-upload" which uses vulnerable package "dicer"

Open florian-besser opened this issue 2 years ago • 0 comments

Description According to https://security.snyk.io/vuln/SNYK-JS-DICER-2311764 the package dicer is vulnerable in all versions and should be replaced with an alternative.

To Reproduce

npm i openapi-to-graphql

Expected behavior A version of graphql-upload >= 15.0.0 is used. See release notes: https://github.com/jaydenseric/graphql-upload/releases/tag/v15.0.0 which mention the corresponding fix.

Actual behavior This leads to the following chain being installed:

[email protected] > [email protected] > [email protected] > [email protected]

Additional context I tried the following fixes to work around the issue:

Try lifting graphql-upload forcefully to 15.0.0 by using an override in package.json This lead to an error in openapi-to-graphql/dist/index.js:8:23), which tries to:

const graphqlUpload = require('graphql-upload');

With the new versions of we get the following error:

No "exports" main defined in /<path>/node_modules/graphql-upload/package.json

Forcing busboy to be >=1.0.0 by using an override in package.json. This seems to have solved the problem but I'm now left with the potential issues stemming from violating the dependencies of graphql-upload which is not prepared to work with such a new version of busboy.

Jan 27 '23 09:01 florian-besser

openapi-to-graphql openapi-to-graphql copied to clipboard

openapi-to-graphql uses outdated package "graphql-upload" which uses vulnerable package "dicer"

openapi-to-graphql
openapi-to-graphql copied to clipboard