Graphql-code-generator: Security Issue NODE_TLS_REJECT_UNAUTHORIZED is set to 0

Created on 2 May 2019 · 8Comments · Source: dotansimha/graphql-code-generator

Found a major security concern. This package sets my project's NODE_TLS_REJECT_UNAUTHORIZED to 0 for the entire process thereby disabling SSL. I found this when searching after seeing this security warning from node.

Warning: Setting the NODE_TLS_REJECT_UNAUTHORIZED environment variable to '0' makes TLS connections and HTTPS requests insecure by disabling certificate verification.

I've traced it back to this commit... https://github.com/dotansimha/graphql-code-generator/pull/147/commits/8b0bc1ea8408badb845696e35df85c6a84a4563a

bug core waiting-for-release

Source

TSiege

👀7

All 8 comments

Can it be backported to v0.18 pls?

simPod on 7 May 2019

👍1

@simPod on it now, sorry for the delay.

dotansimha on 16 May 2019

👍1

@simPod 0.18.2 is available now.

dotansimha on 16 May 2019

❤1

@dotansimha thanks, contacted NPM about fix for https://www.npmjs.com/advisories/834 (there's no release with fix for v1 AFAIK)

simPod on 18 May 2019

👍1

Fixed in 1.2.0.

dotansimha on 19 May 2019

👍1

@dotansimha Hi, NPM cannot find the release https://www.npmjs.com/package/graphql-code-generator

simPod on 20 May 2019

@simPod we moved to organization libraries after 1.0, graphql-code-generator is now @graphql-codegen/cli and plugins are also moved (for example graphql-codegen-typescript is now @graphql-codegen/typescript.

The 0.18.2 release was only for people who's not migrated yet to 1.0 :)

dotansimha on 20 May 2019

@dotansimha right, I forgot that! thanks

simPod on 20 May 2019

Was this page helpful?

0 / 5 - 0 ratings