graphql-eslint icon indicating copy to clipboard operation
graphql-eslint copied to clipboard

Published 20 hours ago verified publisher icon dimaMachina

Security vulnerability in transitive dependencies

Open tapegram opened this issue 1 year ago • 5 comments

Issue workflow progress

Progress of the issue based on the Contributor Workflow

  • [ ] 1. The issue provides a reproduction available on GitHub, Stackblitz or CodeSandbox

    For example, you can start off by editng the 'basic' example on Stackblitz.

    Please make sure the graphql-eslint version under package.json matches yours.

  • [ ] 2. A failing test has been provided

  • [ ] 3. A local solution has been provided

  • [ ] 4. A pull request is pending review

Describe the bug

Dependabot is reporting a transitive dependency needs updating:

Screenshot 2024-06-27 at 2 19 32 PM

It would be great if graphql-eslint could update its dependencies on graphql-tools once they release their updates.

They updated their version of ws in the last week:

https://github.com/ardatan/graphql-tools/pull/6273

image

To Reproduce Steps to reproduce the behavior:

Expected behavior

No more vulnerability in transitive dependencies!

Thanks!

tapegram avatar Jun 27 '24 18:06 tapegram

It seems the a recent version (>5) of graphql-config does not have this dependency chain anymore, and it was already updated in https://github.com/dimaMachina/graphql-eslint/commit/296f700de147f2e5d218cfbf03921a7f41944764 so a fresh release of @graphql-eslint/eslint-plugin would already resolve the issue, I think.

bxt avatar Jun 28 '24 13:06 bxt

@dimaMachina What are the plans for a new release? The last release was almost a year ago.

alimony avatar Jul 01 '24 08:07 alimony

@dimaMachina @dotansimha Also seeing this issue also through npm, is it possible to get a release?

Lukeaber avatar Jul 19 '24 08:07 Lukeaber

Hi @comatory @dimaMachina, any plans for a new release to fix security vulnerabilities?

lucasrmendonca avatar Sep 02 '24 18:09 lucasrmendonca

For the ones that needs it fixed without waiting for a new release, you can override the graphql-config version in the package.json since they have already fixed the issue. This will make the audit errors go away.

For yarn just add this to package.json : "resolutions": { "@graphql-eslint/eslint-plugin/graphql-config": "5.0.0" }

For npm: "overrides": { "@graphql-eslint/eslint-plugin": { "graphql-config": "5.0.0" } }

You will still get a warn saying the versions are incompatible, but the errors go away.

EduardodaVeiga avatar Sep 06 '24 01:09 EduardodaVeiga

sorry, no more updates for v3, try v4 alpha where graphql-config is set to:

  "dependencies": {
    "graphql-config": "^5.1.0"

dimaMachina avatar Nov 16 '24 11:11 dimaMachina