Giters

dillonkearns / elm-graphql

Autogenerate type-safe GraphQL queries in Elm.

Home Page:https://package.elm-lang.org/packages/dillonkearns/elm-graphql/latest

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Vulnerability in node-fetch - DoS

Hermanverschooten opened this issue · comments

commented

I just pushed a project using @dillonkearns/elm-graphql and got a warning from Github about a security vulnerability.
I ran npm audit and this was the result:

                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ node-fetch                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.6.1 <3.0.0-beta.1|| >= 3.0.0-beta.9                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @dillonkearns/elm-graphql [dev]                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @dillonkearns/elm-graphql > graphql-request > cross-fetch >  │
│               │ node-fetch                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1556                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 low severity vulnerability in 881 scanned packages
  1 vulnerability requires manual review. See the full report for details.

This is apparently fixed in the latest version of graphql-request, I would love to send a PR, but know nothing about your package's internals, and what it may break.

commented

Do you have elm-graphql installed as a dev dependency or a regular dependency? It's worth noting that the graphql-request code doesn't end up in your application, it's just used to run the CLI task in your build step. I'm not sure if the npm audit makes a distinction between dev vs. prod dependencies or not.

commented

I have it as a dev dependency. But it is not just npm audit, it's also GitHub that complains every time I push my code.