Giters

Urigo / graphql-cli

📟 Command line tool for common GraphQL development workflows

Home Page:https://graphql-cli.com

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Command Injection vulnerability

ajmakhl opened this issue · comments

commented

Describe the bug
When I install graphql-cli I get found 4 vulnerabilities (3 moderate, 1 critical).

To Reproduce
Steps to reproduce the behavior:

  1. mkdir example
  2. cd example/
  3. npm init -y
  4. npm install --save graphql-cli

Expected behavior
I should see 0 vulnerabilities or at least no critical ones.

Screenshots
Screen Shot 2019-03-30 at 7 29 22 AM

  • OS: [macOS Mojave]
  • graphql-cli: [^3.0.11]
    Additional context
    I just want to know if this is going to be a problem if I push my app to production.
commented

@ajmakhl I have the same problem too. Did you find anything?

commented

For the moderate vulnerability, the module sync-exec is vulnerable
It is in

-- graphql-cli@3.0.11
  -- npm-run@4.1.2
    -- sync-exec@0.6.2`

The version npm-run@5.0.1 correct this problem.

Can you upgrade npm-run to 5.0.1 ?

commented

We've just released a new new alpha version channel for GraphQL CLI - 4.0.0-alpha.XXX !!

We've updated all the dependencies.

Checkout the new instructions and the migration guide on the docs and let us know if you experience any more issues!