Closed damingerdai closed 4 years ago
Note that the object-path
dependency was declared as ^0.11.4
so npm will install the latest 0.11.x patch version (currently v0.11.5). So graphql-upload
is not currently causing the vulnerable 0.11.4
version to be installed and the change in this PR to ^0.11.5
is technically unnecessary.
@jaydenseric I've created an issue for this in Apollo Server as this issue has started causing our CI runs to fail: https://github.com/apollographql/apollo-server/issues/4672
I think the reason this does cause failures in dependent libraries will be due to the way yarn.lock works. So it's probably worth updating this package.json ultimately.
@citypaul as explained here:
A lockfile in your project purposefully freezes the dependency graph in place. It wouldn't solve your problem if I published the change in this PR in a patch release because like how your project's lockfile has frozen the object-path
version in place, the graphql-upload
version would also been frozen. You would only get the current patch releases for either package in node_modules
by deleting the lockfile and node_modules
, and doing a fresh npm/Yarn install.
Thanks @jaydenseric, this is working for us now after taking your advice. Useful, cheers!
i agree with @jaydenseric. i will close this pr.
when this is plan to release? version 11.0.0 still use the 0.11.4
@tal130 please read my earlier comments in this PR.
Summary
There is a prototype pollution for object-path, please upgrade to version >= 0.11.5.
Changelog
build(deps): dump object-path from 0.11.4 to 0.11.5
More info
More info