Closed cdupuis closed 5 years ago
This was introduced in https://github.com/dotansimha/graphql-code-generator/pull/2540
This was introduced by adding relay-compiler
in order to allow selection set optimizations.
I'm thinking about using the optimizers as-is, without the entire relay-compiler
library. @n1ru4l what do you think?
How would mem be a security issue? GraphQL Code Generator is a Development only Tool 🤷♂️.
@dotansimha what world ne the benefit of doing this?
@n1ru4l you are right, it's a dev tool, but it's still causes a warning to show, and that's the only reason I would like to fix that ;) I guess you are right, it might not worth the benefit or maintaing it in our codebase.
I think this should be fixed in relay and then we can update the relay-compiler package.
I can understand that the warning can be annoying, but unfortunately snyk and co should do a better job when dealing with dev dependencies vs production dependencies 😅.
@n1ru4l you are right.
Closing this issue. When relay-compiler will update it, we'll update as well.
If you wish to workaround that, you can use Yarn resolutions
field.
As an aside, the code that uses yargs is the binary version of relay-compiler and was never used by us to begin with, but indeed, this is for relay-compiler to fix. I didn't find any open issues there though, nobody seems to have mentioned this before, at least not in their current monorepo.
Version 1.8.0 seems to introduce a transitive dependency to
mem@1.1.0
which raises security vulnerability alerts, eg at https://snyk.io/vuln/npm:mem:20180117The dependency tree looks as follows:
Is there any chance this dependency can be updated to mitigate this alert?
(Updated to include a proper link to a security advisory)