Apollo-server: Apollo server core failing yarn audit check

Created on 20 Oct 2020 · 2Comments · Source: apollographql/apollo-server

I did see that you have a separate process for reporting security vulnerabilities.

However, I decided to create a standard issue for this, because this is an issue that is currently causing yarn audits to fail against apollo-server-core, and therefore is probably an issue for other people and the issue is going to be automatically reported to anybody running a yarn audit check.

Here is the output of our latest run on CI:

yarn audit v1.22.5
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ object-path                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.11.5                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @tunstall/evity-graphql                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @tunstall/evity-graphql > apollo-server-koa >                │
│               │ apollo-server-core > graphql-upload > object-path            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1573                        │
└───────────────┴──────────────────────────────────────────────────────────────┘

It appears the issue stems from the graphql-upload library, which itself depends on object-path, with object-path being the library with the underlying issue.

There's there's an outstanding (not merged at the time of writing) PR to fix this issue in graphql-upload by taking the fix here: https://github.com/jaydenseric/graphql-upload/pull/223

So I suspect it'll just be a case of bumping this underlying library when the above PR is merged.

NPM advisory: https://www.npmjs.com/advisories/1573

Source

citypaul

👍2

Most helpful comment

@jaydenseric yeah we just tried this and it does appear to be working for us again. This stuff is confusing! Thanks

citypaul on 20 Oct 2020

👍2

All 2 comments

As explained here, graphql-upload does not currently cause the vulnerable version of object-path to be installed:

https://github.com/jaydenseric/graphql-upload/pull/223#issuecomment-712712731

One of the things a lockfile in your project achieves, is freezing the dependency graph in place. To get the latest patches for things, you need to delete the lockfile and do a fresh npm/Yarn install.