Open SpooRe91 opened 3 weeks ago
Hi @SpooRe91 ,
micromatch
is not pinned in the latest version of @graphql-codegen/cli
here:
"micromatch": "^4.0.5",
This means as the user, you can install the latest version of micromatch
by using one of these options (not exhaustive list):
micromatch
in your repo, then re-install them all to bump micromatch
to the latest versionApart from that, @graphql-codegen/cli
is a devDeps
that is run locally on your machine so normally security audits shouldn't be looking into dev packages of this nature 🙂
Which packages are impacted by your issue?
No response
Describe the bug
The NPM package micromatch is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
Your Example Website or App
a
Steps to Reproduce the Bug or Issue
go to the @graphql-codegen/cli and check package.json file, the micromatch should be updated to it's latest version to avoid vulnerabilities
Expected behavior
go to the @graphql-codegen/cli and check package.json file, the micromatch should be updated to it's latest version to avoid vulnerabilities
Screenshots or Videos
No response
Platform
graphql
version: [e.g. 16.9.0]@graphql-codegen/*
version(s): [5.0.2]Codegen Config File
No response
Additional context
No response