Closed navv-christofer-flores closed 2 months ago
Hi @navv-christofer-flores
Consumers of @graphql-codegen/cli
doesn't need to wait for it to upgrade for a few reasons:
@graphql-codegen/cli
is a dev dependency and most security managers e.g. Snyk would not catch issues only used in dev@graphql-codegen/cli
is using micromatch@^4.0.5
which brings in braces@^3.0.2
. The ^
is important because it means @graphql-codegen/cli
is not directly or indirectly exactly pinning braces
to the vulnerable version 3.0.2. This means consumers is able to, and should, update braces
to later versions if they want. Some approaches I've used in the past:
resolutions
(for yarn
) or equivalent to bump the version, then resolutions
can be removed from package.jsonI'll close this because it can be fixed on the consumer side, and fresh installations does not have this issue.
Please let me know if it cannot be fixed on your end and I'll re-open this issue.
Which packages are impacted by your issue?
@graphql-codegen/cli
Describe the bug
According to: https://github.com/advisories/GHSA-grv7-fg5c-xmjg
The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
The current version of the library that the cli is using is:
braces@3.0.2
. Patched version:3.0.3
Your Example Website or App
https://codesandbox.io/ ( not really need IMO)
Steps to Reproduce the Bug or Issue
1.- Install
@graphql-codegen/cli
2.- A warning will show:1 high severity vulnerability
Expected behavior
Upgrade to the suggested version of braces: v3.0.3
Screenshots or Videos
No response
Platform
@graphql-codegen/cle
version(s): 5.0.2Codegen Config File
No response
Additional context
No response