search

dimaMachina / graphql-eslint

ESLint parser, plugin, and rule set for GraphQL (for schema and operations). Easily customizable with custom rules. Integrates with IDEs and modern GraphQL tools.
https://the-guild.dev/graphql/eslint
MIT License
800 stars 104 forks source link

Depends on vulnerable versions of ws #2564

Closed kdawgwilk closed 2 days ago

kdawgwilk commented 2 months ago 
ws  8.0.0 - 8.17.0
Severity: high
ws affected by a DoS when handling a request with many HTTP headers - https://github.com/advisories/GHSA-3h5v-q93c-6h6q
node_modules/@graphql-eslint/eslint-plugin/node_modules/@graphql-tools/executor-graphql-ws/node_modules/ws
node_modules/@graphql-eslint/eslint-plugin/node_modules/@graphql-tools/executor-legacy-ws/node_modules/ws
  @graphql-tools/executor-graphql-ws  <=1.0.1
  Depends on vulnerable versions of ws
  node_modules/@graphql-eslint/eslint-plugin/node_modules/@graphql-tools/executor-graphql-ws
    @graphql-tools/url-loader  7.16.13-alpha-20221108142800-3beb5fe2 - 8.0.0-rc-20230519104627-f6fea064
    Depends on vulnerable versions of @graphql-tools/executor-graphql-ws
    Depends on vulnerable versions of @graphql-tools/executor-legacy-ws
    node_modules/@graphql-eslint/eslint-plugin/node_modules/@graphql-tools/url-loader
  @graphql-tools/executor-legacy-ws  <=1.0.5-rc-20231209231904-e54d73f101707443b905403caac59ece59c784aa
  Depends on vulnerable versions of ws
  node_modules/@graphql-eslint/eslint-plugin/node_modules/@graphql-tools/executor-legacy-ws

This package is getting flagged because it depends on old versions of the @graphql-tools/* packages versions and has not been updated in a long time.

demershov commented 1 month ago

@kdawgwilk There is already a similar issue https://github.com/dimaMachina/graphql-eslint/issues/2423

dimaMachina commented 2 days ago

https://github.com/dimaMachina/graphql-eslint/issues/2423#issuecomment-2480532211