Vulnerability in js-yaml dependency

[janheinrichmerker]

Description

The js-yaml dependency in graphqlgen's package.json is reported to be a vulnerability. See https://www.npmjs.com/advisories/813.

Steps to reproduce

1. Create a blank project.
2. npm install --save graphqlgen
3. npm audit

Expected results

npm audit reports no vulnerabilities.

Actual results

npm audit reports a high severity vulnerability:

  High            Code Injection                                                

  Package         js-yaml                                                       

  Patched in      >=3.13.1                                                      

  Dependency of   graphqlgen [dev]                                              

  Path            graphqlgen > js-yaml                                          

  More info       https://npmjs.com/advisories/813 

Versions

• graphqlgen: 0.5.1
• OS name and version: Windows 10

[janheinrichmerker]

I would recommend to simply update the js-yaml dependency. Also using ^ when declaring dependencies can often avoid such kind of bug, as the patch in the dependency's repo could automatically be loaded, without making changes to graphqlgen.

[janheinrichmerker]

Another moderate vulnerability is reported, also caused by js-yaml: https://www.npmjs.com/advisories/788

[rfdc]

I also have this high vulnerability plus 67 vulnerabilities (63 low, 3 moderate, 1 high). But they are all dev packages, just us graphqlgen and Jest which I believe when it is built, the final product wont use this packages w/ vulnerabilities.

What do you think? Is that right?