eddeee888
commented
3 months ago Hi @navv-christofer-flores
Consumers of @graphql-codegen/cli doesn't need to wait for it to upgrade for a few reasons:
@graphql-codegen/cliis a dev dependency and most security managers e.g. Snyk would not catch issues only used in dev@graphql-codegen/cliis usingmicromatch@^4.0.5which brings inbraces@^3.0.2. The^is important because it means@graphql-codegen/cliis not directly or indirectly exactly pinningbracesto the vulnerable version 3.0.2. This means consumers is able to, and should, updatebracesto later versions if they want. Some approaches I've used in the past:- Remove lockfile and re-install packages to get the new lockfile
- Use
resolutions(foryarn) or equivalent to bump the version, thenresolutionscan be removed from package.json
Which packages are impacted by your issue?
@graphql-codegen/cli
Describe the bug
According to: https://github.com/advisories/GHSA-grv7-fg5c-xmjg
The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.The current version of the library that the cli is using is:
braces@3.0.2. Patched version:3.0.3Your Example Website or App
https://codesandbox.io/ ( not really need IMO)
Steps to Reproduce the Bug or Issue
1.- Install
@graphql-codegen/cli2.- A warning will show:1 high severity vulnerabilityExpected behavior
Upgrade to the suggested version of braces: v3.0.3
Screenshots or Videos
No response
Platform
@graphql-codegen/cleversion(s): 5.0.2Codegen Config File
No response
Additional context
No response