You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@apollographql/apollo-server-core 2.25.4 depends on @apollographql/graphql-upload-8-fork, which depends on busboy <=0.3.1, which depends on a version of dicer which is vulnerable to a Denial of Service attack and has been assigned CVE-2022-24434. The busboy maintainer has released a new busboy version 1.0.0 which removes the vulnerable dependency alltogether: mscdex/busboy#266. Unfortunately, @apollographql/graphql-upload-8-fork still depends on vulnerable busboy 0.3.1.
➜ demo-project git:(main) ✗ npm audit --only=prod
# npm audit report
dicer *
Severity: high
Crash in HeaderParser in dicer - https://github.com/advisories/GHSA-wm7h-9275-46v2
fix available via `npm audit fix --force`
Will install apollo-server-express@3.8.1, which is a breaking change
node_modules/dicer
busboy <=0.3.1
Depends on vulnerable versions of dicer
node_modules/busboy
@apollographql/graphql-upload-8-fork *
Depends on vulnerable versions of busboy
node_modules/@apollographql/graphql-upload-8-fork
apollo-server-core 2.21.0-alpha.0 - 2.25.4
Depends on vulnerable versions of @apollographql/graphql-upload-8-fork
node_modules/apollo-server-core
apollo-server-express 2.0.1 || 2.21.0-alpha.0 - 2.25.4
Depends on vulnerable versions of apollo-server-core
node_modules/apollo-server-express
5 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
The text was updated successfully, but these errors were encountered:
The upload feature of Apollo Server 2 is itself a security vulnerability unless counteracted with CSRF protection. In fact the latest version as of this week turns it off by default, which also protects you from this issue.
If you'd be happier not having the upload code (which I guess has two vulnerabilities!) in your project at all rather than just deactivated, upgrade to Apollo Server 3.
(See GHSA-2p3c-p3qw-69r4 for details on why this feature is a security vulnerability; we have protections against this whole class of vulnerabilities in AS3.)
@apollographql/apollo-server-core
2.25.4 depends on@apollographql/graphql-upload-8-fork
, which depends onbusboy
<=0.3.1, which depends on a version ofdicer
which is vulnerable to a Denial of Service attack and has been assigned CVE-2022-24434. Thebusboy
maintainer has released a newbusboy
version 1.0.0 which removes the vulnerable dependency alltogether: mscdex/busboy#266. Unfortunately,@apollographql/graphql-upload-8-fork
still depends on vulnerable busboy 0.3.1.The text was updated successfully, but these errors were encountered: