object-path@0.11.5 has vulnerability CVE-2021-23434

[loremaps]

According to our container scanner, the object-path dependency has a critical vulnerability:

===================================
Total: 1 (CRITICAL: 1)
+-------------+------------------+----------+-------------------+---------------+---------------------------------------+
|   LIBRARY   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+-------------+------------------+----------+-------------------+---------------+---------------------------------------+
| object-path | CVE-2021-23434   | CRITICAL | 0.11.5            | 0.11.6        | object-path: Type confusion           |
|             |                  |          |                   |               | vulnerability can lead to             |
|             |                  |          |                   |               | a bypass of CVE-2020-15256            |
|             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23434 |
+-------------+------------------+----------+-------------------+---------------+---------------------------------------+

[jaydenseric]

graphql-upload doesn't depend on the old vulnerable object-path version:

https://github.com/jaydenseric/graphql-upload/blob/bdb5f808e0d514c28c0f59c1abd71680aba29bae/package.json#L55

^0.11.5 selects the latest 0.11.x patch, which at the current moment installs a safe object-path version; v0.11.7.

https://semver.npmjs.com is a useful tool to see what published version semver strings match.

If you delete your node_modules and package-lock.json file, and do a fresh npm install, you will see that graphql-upload installs the latest object-path version.