From 273ad602f454a42bdf4694430be6f07dff7eb49a Mon Sep 17 00:00:00 2001 From: Good stuff and well done! Date: Tue, 26 Jul 2022 16:55:27 +0200 Subject: [PATCH] fix(deps): replace cross-undici-fetch with @whatwg-node/fetch. Fixes security vulnerability introduced by undici < 5.8.0 (#8143) --- .changeset/spotty-pans-serve.md | 5 ++ packages/graphql-codegen-cli/package.json | 2 +- .../src/utils/get-latest-version.ts | 2 +- yarn.lock | 86 ++++++++----------- 4 files changed, 45 insertions(+), 50 deletions(-) create mode 100644 .changeset/spotty-pans-serve.md diff --git a/.changeset/spotty-pans-serve.md b/.changeset/spotty-pans-serve.md new file mode 100644 index 00000000000..eb7a88264ae --- /dev/null +++ b/.changeset/spotty-pans-serve.md @@ -0,0 +1,5 @@ +--- +"@graphql-codegen/cli": minor +--- + +Replace cross-undici-fetch with @whatwg-node/fetch to fix security vulnerability from undici diff --git a/packages/graphql-codegen-cli/package.json b/packages/graphql-codegen-cli/package.json index c845ca46d36..33fde83941a 100644 --- a/packages/graphql-codegen-cli/package.json +++ b/packages/graphql-codegen-cli/package.json @@ -52,11 +52,11 @@ "@graphql-tools/prisma-loader": "^7.2.2", "@graphql-tools/url-loader": "^7.12.1", "@graphql-tools/utils": "^8.8.0", + "@whatwg-node/fetch": "^0.0.2", "ansi-escapes": "^4.3.1", "chalk": "^4.1.0", "chokidar": "^3.5.2", "cosmiconfig": "^7.0.0", - "cross-undici-fetch": "^0.4.11", "debounce": "^1.2.0", "detect-indent": "^6.0.0", "graphql-config": "^4.3.1", diff --git a/packages/graphql-codegen-cli/src/utils/get-latest-version.ts b/packages/graphql-codegen-cli/src/utils/get-latest-version.ts index 817f5aa7b91..db1354c893b 100644 --- a/packages/graphql-codegen-cli/src/utils/get-latest-version.ts +++ b/packages/graphql-codegen-cli/src/utils/get-latest-version.ts @@ -1,4 +1,4 @@ -import { fetch } from 'cross-undici-fetch'; +import { fetch } from '@whatwg-node/fetch'; /** * Fetches the version directly from the registry instead of depending on diff --git a/yarn.lock b/yarn.lock index 661b57c9c3b..0ab51864643 100644 --- a/yarn.lock +++ b/yarn.lock @@ -3902,7 +3902,7 @@ resolved "https://registry.yarnpkg.com/@types/js-yaml/-/js-yaml-4.0.5.tgz#738dd390a6ecc5442f35e7f03fa1431353f7e138" integrity sha512-FhpRzf927MNQdRZP0J5DLIdTXhjLYzeUTmLAu69mnVksLH9CJY3IuSeEgbKUki7GQZm0WqDkGzyxju2EZGD2wA== -"@types/json-schema@7.0.9", "@types/json-schema@^7.0.9": +"@types/json-schema@^7.0.9": version "7.0.9" resolved "https://registry.yarnpkg.com/@types/json-schema/-/json-schema-7.0.9.tgz#97edc9037ea0c38585320b28964dde3b39e4660d" integrity sha512-qcUXuemtEu+E5wZSJHNxUXeCZhAfXKQ41D+duX+VYPde7xyEVZci+/oXKJL13tnRs9lR2pr4fod59GT6/X1/yQ== @@ -4361,6 +4361,19 @@ resolved "https://registry.yarnpkg.com/@vue/shared/-/shared-3.2.37.tgz#8e6adc3f2759af52f0e85863dfb0b711ecc5c702" integrity sha512-4rSJemR2NQIo9Klm1vabqWjD8rs/ZaJSzMxkMNeJS6lHiUjjUeYFbooN19NgFjztubEKh3WlZUeOLVdbbUWHsw== +"@whatwg-node/fetch@^0.0.2": + version "0.0.2" + resolved "https://registry.yarnpkg.com/@whatwg-node/fetch/-/fetch-0.0.2.tgz#4242c4e36714b5018ccac0ab76f4ab5a208fbc1c" + integrity sha512-qiZn8dYRg0POzUvmHBs7blLxl6DPL+b+Z0JUsGaj7/8PFe2BJG9onrUVX6OWh6Z9YhcYw8yu+wtCAme5ZMiCKQ== + dependencies: + abort-controller "^3.0.0" + busboy "^1.6.0" + form-data-encoder "^1.7.1" + formdata-node "^4.3.1" + node-fetch "^2.6.7" + undici "5.5.1" + web-streams-polyfill "^3.2.0" + "@wry/context@^0.6.0": version "0.6.1" resolved "https://registry.yarnpkg.com/@wry/context/-/context-0.6.1.tgz#c3c29c0ad622adb00f6a53303c4f965ee06ebeb2" @@ -8262,7 +8275,7 @@ graphlib@^2.1.8: dependencies: lodash "^4.17.15" -graphql-config@^4.1.0, graphql-config@^4.3.1: +graphql-config@^4.3.1: version "4.3.1" resolved "https://registry.yarnpkg.com/graphql-config/-/graphql-config-4.3.1.tgz#636b539b1acc06fb48012d0e0f228014ccb0325f" integrity sha512-czBWzJSGaLJfOHBLuUTZVRTjfgohPfvlaeN1B5nXBVptFARpiFuS7iI4FnRhCGwm6qt1h2j1g05nkg0OIGA6bg== @@ -8297,41 +8310,6 @@ graphql-jit@0.7.4: lodash.merge "4.6.2" lodash.mergewith "4.6.2" -graphql-language-service-interface@2.10.2: - version "2.10.2" - resolved "https://registry.yarnpkg.com/graphql-language-service-interface/-/graphql-language-service-interface-2.10.2.tgz#de9386f699e446320256175e215cdc10ccf9f9b7" - integrity sha512-RKIEBPhRMWdXY3fxRs99XysTDnEgAvNbu8ov/5iOlnkZsWQNzitjtd0O0l1CutQOQt3iXoHde7w8uhCnKL4tcg== - dependencies: - graphql-config "^4.1.0" - graphql-language-service-parser "^1.10.4" - graphql-language-service-types "^1.8.7" - graphql-language-service-utils "^2.7.1" - vscode-languageserver-types "^3.15.1" - -graphql-language-service-parser@^1.10.4: - version "1.10.4" - resolved "https://registry.yarnpkg.com/graphql-language-service-parser/-/graphql-language-service-parser-1.10.4.tgz#b2979deefc5c0df571dacd409b2d5fbf1cdf7a9d" - integrity sha512-duDE+0aeKLFVrb9Kf28U84ZEHhHcvTjWIT6dJbIAQJWBaDoht0D4BK9EIhd94I3DtKRc1JCJb2+70y1lvP/hiA== - dependencies: - graphql-language-service-types "^1.8.7" - -graphql-language-service-types@^1.8.7: - version "1.8.7" - resolved "https://registry.yarnpkg.com/graphql-language-service-types/-/graphql-language-service-types-1.8.7.tgz#f5e909e6d9334ea2d8d1f7281b695b6f5602c07f" - integrity sha512-LP/Mx0nFBshYEyD0Ny6EVGfacJAGVx+qXtlJP4hLzUdBNOGimfDNtMVIdZANBXHXcM41MDgMHTnyEx2g6/Ttbw== - dependencies: - graphql-config "^4.1.0" - vscode-languageserver-types "^3.15.1" - -graphql-language-service-utils@^2.7.1: - version "2.7.1" - resolved "https://registry.yarnpkg.com/graphql-language-service-utils/-/graphql-language-service-utils-2.7.1.tgz#c97c8d744a761480aba7e03e4a42adf28b6fce39" - integrity sha512-Wci5MbrQj+6d7rfvbORrA9uDlfMysBWYaG49ST5TKylNaXYFf3ixFOa74iM1KtM9eidosUbI3E1JlWi0JaidJA== - dependencies: - "@types/json-schema" "7.0.9" - graphql-language-service-types "^1.8.7" - nullthrows "^1.0.0" - graphql-request@4.3.0, graphql-request@^4.0.0: version "4.3.0" resolved "https://registry.yarnpkg.com/graphql-request/-/graphql-request-4.3.0.tgz#b934e08fcae764aa2cdc697d3c821f046cb5dbf2" @@ -8360,7 +8338,7 @@ graphql-ws@^5.4.1: resolved "https://registry.yarnpkg.com/graphql-ws/-/graphql-ws-5.9.1.tgz#9c0fa48ceb695d61d574ed3ab21b426729e87f2d" integrity sha512-mL/SWGBwIT9Meq0NlfS55yXXTOeWPMbK7bZBEZhFu46bcGk1coTx2Sdtzxdk+9yHWngD+Fk1PZDWaAutQa9tpw== -graphql@16.5.0, graphql@^16.0.0: +graphql@16.5.0: version "16.5.0" resolved "https://registry.yarnpkg.com/graphql/-/graphql-16.5.0.tgz#41b5c1182eaac7f3d47164fb247f61e4dfb69c85" integrity sha512-qbHgh8Ix+j/qY+a/ZcJnFQ+j8ezakqPiHwPiZhV/3PgGlgf96QMBB5/f2rkiC9sgLoy/xvT6TSiaf2nTHJh5iA== @@ -9598,7 +9576,7 @@ jest-resolve@^27.5.1: resolve.exports "^1.1.0" slash "^3.0.0" -jest-runner@27.5.1, jest-runner@^27.5.1: +jest-runner@^27.5.1: version "27.5.1" resolved "https://registry.yarnpkg.com/jest-runner/-/jest-runner-27.5.1.tgz#071b27c1fa30d90540805c5645a0ec167c7b62e5" integrity sha512-g4NPsM4mFCOwFKXO4p/H/kWGdJp9V8kURY2lX8Me2drgXqG7rrZAx5kv+5H7wtt/cdFIjhqYx1HrlqWHaOvDaQ== @@ -11508,7 +11486,7 @@ nth-check@^2.0.1: dependencies: boolbase "^1.0.0" -nullthrows@^1.0.0, nullthrows@^1.1.1: +nullthrows@^1.1.1: version "1.1.1" resolved "https://registry.yarnpkg.com/nullthrows/-/nullthrows-1.1.1.tgz#7818258843856ae971eae4208ad7d7eb19a431b1" integrity sha512-2vPPEi+Z7WqML2jZYddDIfy5Dqb0r2fze2zTxNNknZaFpVHU3mFB3R+DWeJWGVx0ecvttSGlJTI+WG+8Z4cDWw== @@ -12384,11 +12362,16 @@ prettier-plugin-tailwindcss@0.1.11: resolved "https://registry.yarnpkg.com/prettier-plugin-tailwindcss/-/prettier-plugin-tailwindcss-0.1.11.tgz#6112da68d9d022b7f896d35c070464931c99c35f" integrity sha512-a28+1jvpIZQdZ/W97wOXb6VqI762MKE/TxMMuibMEHhyYsSxQA8Ek30KObd5kJI2HF1ldtSYprFayXJXi3pz8Q== -prettier@2.7.1, prettier@^1.19.1: +prettier@2.7.1: version "2.7.1" resolved "https://registry.yarnpkg.com/prettier/-/prettier-2.7.1.tgz#e235806850d057f97bb08368a4f7d899f7760c64" integrity sha512-ujppO+MkdPqoVINuDFDRLClm7D78qbDt0/NR+wp5FqEZOoTNAjPHWj17QRhu7geIHJfcNhRk1XVQmF8Bp3ye+g== +prettier@^1.19.1: + version "1.19.1" + resolved "https://registry.yarnpkg.com/prettier/-/prettier-1.19.1.tgz#f7d7f5ff8a9cd872a7be4ca142095956a60797cb" + integrity sha512-s7PoyDv/II1ObgQunCbB9PdLmUcBZcnWOcxDh7O0N/UwDEsHyqkW+Qh28jW+mVuCdx7gLB0BotYI1Y6uI9iyew== + pretty-format@^27.0.0, pretty-format@^27.5.1: version "27.5.1" resolved "https://registry.yarnpkg.com/pretty-format/-/pretty-format-27.5.1.tgz#2181879fdea51a7a5851fb39d920faa63f01d88e" @@ -13592,7 +13575,7 @@ source-map-resolve@^0.5.0: source-map-url "^0.4.0" urix "^0.1.0" -source-map-support@^0.5.16, source-map-support@^0.5.6: +source-map-support@^0.5.16, source-map-support@^0.5.17, source-map-support@^0.5.6: version "0.5.21" resolved "https://registry.yarnpkg.com/source-map-support/-/source-map-support-0.5.21.tgz#04fe7c7f9e1ed2d662233c28cb2b35b9f63f6e4f" integrity sha512-uBHU3L3czsIyYXKX88fdrGovxdSCoTGDRZ6SYXtSRxLZUzHg5P/66Ht6uoUlHu9EZod+inXhKo3qQgwXUT/y1w== @@ -14376,7 +14359,7 @@ ts-log@^2.2.3: resolved "https://registry.yarnpkg.com/ts-log/-/ts-log-2.2.4.tgz#d672cf904b33735eaba67a7395c93d45fba475b3" integrity sha512-DEQrfv6l7IvN2jlzc/VTdZJYsWUnQNCsueYjMkC/iXoEoi5fNan6MjeDqkvhfzbmHgdz9UxDUluX3V5HdjTydQ== -ts-node@10.8.2, ts-node@^10.2.1, ts-node@^9: +ts-node@10.8.2, ts-node@^10.2.1: version "10.8.2" resolved "https://registry.yarnpkg.com/ts-node/-/ts-node-10.8.2.tgz#3185b75228cef116bf82ffe8762594f54b2a23f2" integrity sha512-LYdGnoGddf1D6v8REPtIH+5iq/gTDuZqv2/UJUU7tKjuEU8xVZorBM+buCGNjj+pGEud+sOoM4CX3/YzINpENA== @@ -14395,6 +14378,18 @@ ts-node@10.8.2, ts-node@^10.2.1, ts-node@^9: v8-compile-cache-lib "^3.0.1" yn "3.1.1" +ts-node@^9: + version "9.1.1" + resolved "https://registry.yarnpkg.com/ts-node/-/ts-node-9.1.1.tgz#51a9a450a3e959401bda5f004a72d54b936d376d" + integrity sha512-hPlt7ZACERQGf03M253ytLY3dHbGNGrAq9qIHWUY9XHYl1z7wYngSr3OQ5xmui8o2AaxsONxIzjafLUiWBo1Fg== + dependencies: + arg "^4.1.0" + create-require "^1.1.0" + diff "^4.0.1" + make-error "^1.1.1" + source-map-support "^0.5.17" + yn "3.1.1" + tsconfig-paths@^3.14.1: version "3.14.1" resolved "https://registry.yarnpkg.com/tsconfig-paths/-/tsconfig-paths-3.14.1.tgz#ba0734599e8ea36c862798e920bcf163277b137a" @@ -15007,11 +15002,6 @@ void-elements@3.1.0: resolved "https://registry.yarnpkg.com/void-elements/-/void-elements-3.1.0.tgz#614f7fbf8d801f0bb5f0661f5b2f5785750e4f09" integrity sha512-Dhxzh5HZuiHQhbvTW9AMetFfBHDMYpo23Uo9btPXgdYP+3T5S+p+jgNy7spra+veYhBP2dCSgxR/i2Y02h5/6w== -vscode-languageserver-types@^3.15.1: - version "3.17.1" - resolved "https://registry.yarnpkg.com/vscode-languageserver-types/-/vscode-languageserver-types-3.17.1.tgz#c2d87fa7784f8cac389deb3ff1e2d9a7bef07e16" - integrity sha512-K3HqVRPElLZVVPtMeKlsyL9aK0GxGQpvtAUTfX4k7+iJ4mc1M+JM+zQwkgGy2LzY0f0IAafe8MKqIkJrxfGGjQ== - vscode-oniguruma@^1.6.1: version "1.6.2" resolved "https://registry.yarnpkg.com/vscode-oniguruma/-/vscode-oniguruma-1.6.2.tgz#aeb9771a2f1dbfc9083c8a7fdd9cccaa3f386607"