Critical Vulnerability from npm audit

[Magneticmagnum]

This issue pertains to the following package(s):

• [ ] GraphQL Playground - Electron App
• [ ] GraphQL Playground HTML
• [ ] GraphQL Playground
• [x] GraphQL Playground Express Middleware
• [ ] GraphQL Playground Hapi Middleware
• [ ] GraphQL Playground Koa Middleware
• [ ] GraphQL Playground Lambda Middleware

What OS and OS version are you experiencing the issue(s) on?

Windows 10

What version of graphql-playground(-electron/-middleware) are you experiencing the issue(s) on?

graphql-playground-middleware-express @ 1.7.11

What is the expected behavior?

No vulnerabilities when running npm audit

What is the actual behavior?

7 vulnerabilities (3 low, 2, high, 2 critical) found in npm audit

What steps may we take to reproduce the behavior?

npm i --save graphql-playground-middleware-express npm audit

Please provide a gif or image of the issue for a quicker response/fix.

                   === npm audit security report ===                        

Run npm install --save-dev chai-http@4.2.1 to resolve 1 vulnerability

SEMVER WARNING: Recommended action is a potentially breaking change

Low Large gzip Denial of Service

Package superagent

Dependency of chai-http [dev]

Path chai-http > superagent

More info https://nodesecurity.io/advisories/479

                             Manual Review                                  
         Some vulnerabilities require your attention to resolve             

      Visit https://go.npm.me/audit-guide for additional guidance           

Critical Command Injection

Package open

Patched in No patch available

Dependency of graphql-playground

Path graphql-playground > graphcool-styles > webpack-dev-server >
open

More info https://nodesecurity.io/advisories/663

Critical Command Injection

Package open

Patched in No patch available

Dependency of graphql-playground

Path graphql-playground > graphcool-tmp-ui > graphcool-styles >
webpack-dev-server > open

More info https://nodesecurity.io/advisories/663

High Missing Origin Validation

Package webpack-dev-server

Patched in >=3.1.11

Dependency of graphql-playground

Path graphql-playground > graphcool-styles > webpack-dev-server

More info https://nodesecurity.io/advisories/725

High Missing Origin Validation

Package webpack-dev-server

Patched in >=3.1.11

Dependency of graphql-playground

Path graphql-playground > graphcool-tmp-ui > graphcool-styles >
webpack-dev-server

More info https://nodesecurity.io/advisories/725

Low Regular Expression Denial of Service

Package braces

Patched in >=2.3.1

Dependency of graphql-playground

Path graphql-playground > graphcool-styles > webpack-dev-server >
http-proxy-middleware > micromatch > braces

More info https://nodesecurity.io/advisories/786

Low Regular Expression Denial of Service

Package braces

Patched in >=2.3.1

Dependency of graphql-playground

Path graphql-playground > graphcool-tmp-ui > graphcool-styles >
webpack-dev-server > http-proxy-middleware > micromatch >
braces

More info https://nodesecurity.io/advisories/786

found 7 vulnerabilities (3 low, 2 high, 2 critical) in 10555 scanned packages 1 vulnerability requires semver-major dependency updates. 6 vulnerabilities require manual review. See the full report for details.```

[yoshiakis]

Hi @Magneticmagnum, I think graphql-playground-middleware-express@1.7.11 only has graphql-playground-html@1.6.12 as dependencies and graphql-playground-html@1.6.12 doesn't have any dependencies. Haven't you installed packages other than graphql-playground-middleware-express?