eddeee888
commented
1 week ago Hi @SpooRe91 ,
micromatch is not pinned in the latest version of @graphql-codegen/cli here:
"micromatch": "^4.0.5",This means as the user, you can install the latest version of micromatch by using one of these options (not exhaustive list):
- using Yarn's resolutions (Yarn 1.x) or the equivalent
- remove all deps that use
micromatchin your repo, then re-install them all to bumpmicromatchto the latest version
Apart from that, @graphql-codegen/cli is a devDeps that is run locally on your machine so normally security audits shouldn't be looking into dev packages of this nature 🙂
Which packages are impacted by your issue?
No response
Describe the bug
The NPM package micromatch is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
Your Example Website or App
a
Steps to Reproduce the Bug or Issue
go to the @graphql-codegen/cli and check package.json file, the micromatch should be updated to it's latest version to avoid vulnerabilities
Expected behavior
go to the @graphql-codegen/cli and check package.json file, the micromatch should be updated to it's latest version to avoid vulnerabilities
Screenshots or Videos
No response
Platform
graphqlversion: [e.g. 16.9.0]@graphql-codegen/*version(s): [5.0.2]Codegen Config File
No response
Additional context
No response