Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Security vulnerability in dependency `cross-undici-fetch`

See original GitHub issue

Describe the bug

When your app uses @graphql-codegen/cli and you have dependabot alerts enabled you will get an (unresolvable) alert that undici prior to v5.8.0 is insecure.

Your Example Website or App

https://github.com/GamerBene19/gql-codegen-example

Steps to Reproduce the Bug or Issue

  1. Fork example repo
  2. Go to security tab
  3. Enable dependabot alerts like so: image
  4. Wait
  5. Observe following two (unresolvable) dependabot alerts: image

Expected behavior

The “expected behavior” would be to not have a vulnerable version as a dependency or being able to update to a non-vulnerable version.

Screenshots or Videos

No response

Platform

  • OS: Arch Linux, but should be irrelevant
  • NodeJS: v17.9.0, but should be irrelevant
  • graphql version: 16.5.0, but should be irrelevant
  • @graphql-codegen/cli version(s): 2.9.1, very much relevant

Codegen Config File

No response

Additional context

As far as I can tell the (problematic) version of undici is a transitive dependency of cross-undici-fetch from here.

A quick google search revealed that perhaps this package (which might very well just be a renamed version of the original one) is a replacement?

Issue Analytics

  • State:closed
  • Created a year ago
  • Reactions:10
  • Comments:18 (3 by maintainers)

github_iconTop GitHub Comments

3reactions
ardatancommented, Jul 28, 2022

@graphql-codegen/cli@2.11.2 has been released. It doesn’t use cross-undici-fetch that depends on the older version of undici. Now it uses @whatwg-node/fetch which uses the latest undici. https://github.com/dotansimha/graphql-code-generator/blob/master/yarn.lock#L14704

1reaction
ardatancommented, Jul 28, 2022

After hours of work, we finally figured out to make things work on our side with 5.8.0 by adding some workarounds. https://github.com/dotansimha/graphql-code-generator/pull/8155 So this PR is merged, the new patch version will be available soon.

Read more comments on GitHub >

github_iconTop Results From Across the Web

cross-undici-fetch - npm Package Health Analysis - Snyk
All security vulnerabilities belong to production dependencies of direct and indirect packages. License: MIT. Security Policy: No.
Read more >
Fixing security vulnerabilities in npm dependencies in less ...
2.1) To fix any dependency, you need to first know which npm package depends on that. npm audit. This will tell you the...
Read more >
Vulnerabilities in Dependencies: What You Need to Know
Here's what you need to know about the vulnerabilities in dependencies, third party components and open source.
Read more >
Fix security vulnerabilities in your dependencies - YouTube
Learn how to resolve potential security vulnerabilities in your web application that are inherited from unsafe npm dependencies.
Read more >
Yellow security vulnerability repository banner is being removed
Removing the security vulnerability banner. The yellow banner stating "We found potential security vulnerabilities in your dependencies" is ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Failed to load schema, no error output

Next page

Got a duplicate identifier issue