graphql-playground icon indicating copy to clipboard operation
graphql-playground copied to clipboard
verified publisher icon graphql

Update `graphiql` dependency

Open SimenB opened this issue 3 years ago • 0 comments

This issue pertains to the following package(s):

  • [ ] GraphQL Playground - Electron App
  • [ ] GraphQL Playground HTML
  • [x] GraphQL Playground
  • [ ] GraphQL Playground Express Middleware
  • [ ] GraphQL Playground Hapi Middleware
  • [ ] GraphQL Playground Koa Middleware
  • [ ] GraphQL Playground Lambda Middleware

What OS and OS version are you experiencing the issue(s) on?

N/A

What version of graphql-playground(-electron/-middleware) are you experiencing the issue(s) on?

1.7.28

What is the expected behavior?

There should be no security warnings from GitHub/npm.

What is the actual behavior?

[email protected] has the following advisory: https://github.com/advisories/GHSA-x4r7-m2q9-69c8.

It also pulls in a version of markdown-it with https://github.com/advisories/GHSA-6vfc-qv3f-vr6c

Additionally, the version this module depends on of isomorphic-fetch pulls in a node-fetch with https://github.com/advisories/GHSA-r683-j2x4-v87g & https://github.com/advisories/GHSA-w7rc-rwvf-8q5r

What steps may we take to reproduce the behavior?

npm install graphql-playground-react && npm audit

Please provide a gif or image of the issue for a quicker response/fix.

# npm audit report

graphiql  0.5.0 - 1.4.7-canary-85a66743.0
Severity: high
GraphiQL introspection schema template injection attack - https://github.com/advisories/GHSA-x4r7-m2q9-69c8
Depends on vulnerable versions of markdown-it
No fix available
node_modules/graphiql
  graphql-playground-react  *
  Depends on vulnerable versions of graphiql
  node_modules/graphql-playground-react

markdown-it  <12.3.2
Severity: moderate
Uncontrolled Resource Consumption in markdown-it - https://github.com/advisories/GHSA-6vfc-qv3f-vr6c
No fix available
node_modules/graphiql/node_modules/markdown-it
  graphiql  0.5.0 - 1.4.7-canary-85a66743.0
  Depends on vulnerable versions of markdown-it
  node_modules/graphiql
    graphql-playground-react  *
    Depends on vulnerable versions of graphiql
    node_modules/graphql-playground-react

node-fetch  <=2.6.6
Severity: high
The `size` option isn't honored after following a redirect in node-fetch - https://github.com/advisories/GHSA-w7rc-rwvf-8q5r
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor - https://github.com/advisories/GHSA-r683-j2x4-v87g
fix available via `npm audit fix`
node_modules/isomorphic-fetch/node_modules/node-fetch
  isomorphic-fetch  2.0.0 - 2.2.1
  Depends on vulnerable versions of node-fetch
  node_modules/isomorphic-fetch
    fbjs  0.7.0 - 1.0.0
    Depends on vulnerable versions of isomorphic-fetch
    node_modules/fbjs
      react  0.15.0-alpha.1 - 16.4.2
      Depends on vulnerable versions of fbjs
      node_modules/react
        react-dom  0.15.0-alpha.1 - 16.4.2
        Depends on vulnerable versions of fbjs
        Depends on vulnerable versions of react
        node_modules/react-dom
          react-codemirror  >=1.0.0
          Depends on vulnerable versions of react-dom
          node_modules/react-codemirror

9 vulnerabilities (5 low, 1 moderate, 3 high)

SimenB avatar Feb 08 '22 08:02 SimenB