Command Injection vulnerability
ajmakhl opened this issue · comments
Describe the bug
When I install graphql-cli I get found 4 vulnerabilities (3 moderate, 1 critical).
To Reproduce
Steps to reproduce the behavior:
mkdir example
cd example/
npm init -y
npm install --save graphql-cli
Expected behavior
I should see 0 vulnerabilities or at least no critical ones.
- OS: [
macOS Mojave
] graphql-cli
: [^3.0.11
]
Additional context
I just want to know if this is going to be a problem if I push my app to production.
@ajmakhl I have the same problem too. Did you find anything?
For the moderate vulnerability, the module sync-exec
is vulnerable
It is in
-- graphql-cli@3.0.11
-- npm-run@4.1.2
-- sync-exec@0.6.2`
The version npm-run@5.0.1 correct this problem.
Can you upgrade npm-run to 5.0.1 ?
We've just released a new new alpha version channel for GraphQL CLI - 4.0.0-alpha.XXX
!!
We've updated all the dependencies.
Checkout the new instructions and the migration guide on the docs and let us know if you experience any more issues!