Closed damingerdai closed 4 years ago
jaydenseric
commented
4 years ago Note that the object-path dependency was declared as ^0.11.4 so npm will install the latest 0.11.x patch version (currently v0.11.5). So graphql-upload is not currently causing the vulnerable 0.11.4 version to be installed and the change in this PR to ^0.11.5 is technically unnecessary.
citypaul
commented
4 years ago @jaydenseric I've created an issue for this in Apollo Server as this issue has started causing our CI runs to fail: https://github.com/apollographql/apollo-server/issues/4672
I think the reason this does cause failures in dependent libraries will be due to the way yarn.lock works. So it's probably worth updating this package.json ultimately.
jaydenseric
commented
4 years ago @citypaul as explained here:
A lockfile in your project purposefully freezes the dependency graph in place. It wouldn't solve your problem if I published the change in this PR in a patch release because like how your project's lockfile has frozen the object-path version in place, the graphql-upload version would also been frozen. You would only get the current patch releases for either package in node_modules by deleting the lockfile and node_modules, and doing a fresh npm/Yarn install.
citypaul
commented
4 years ago Thanks @jaydenseric, this is working for us now after taking your advice. Useful, cheers!
damingerdai
commented
4 years ago i agree with @jaydenseric. i will close this pr.
tal130
commented
3 years ago when this is plan to release? version 11.0.0 still use the 0.11.4
jaydenseric
commented
3 years ago @tal130 please read my earlier comments in this PR.
Summary
There is a prototype pollution for object-path, please upgrade to version >= 0.11.5.
Changelog
build(deps): dump object-path from 0.11.4 to 0.11.5
More info
More info