You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@graphql-codegen/cli is using a version of cosmiconfig that is a full major version (plus) behind. That major version (7.x) contains a particular CVE that is impossible to get around: GHSA-f9xv-q969-pqx4
Overriding the version of yaml with a package manager results in a crash of cosmiconfig and subsequently @graphql-codegen/cli as there are breaking changes with the version of yaml that cosmiconfig@7 uses, and the latest version which resolves the CVE yaml@2.2.2. Additionally, cosmiconfig@8 no longer uses the yaml package.
Which packages are impacted by your issue?
@graphql-codegen/cli
Describe the bug
@graphql-codegen/cli
is using a version ofcosmiconfig
that is a full major version (plus) behind. That major version (7.x) contains a particular CVE that is impossible to get around: GHSA-f9xv-q969-pqx4Overriding the version of
yaml
with a package manager results in a crash ofcosmiconfig
and subsequently@graphql-codegen/cli
as there are breaking changes with the version ofyaml
thatcosmiconfig@7
uses, and the latest version which resolves the CVEyaml@2.2.2
. Additionally,cosmiconfig@8
no longer uses theyaml
package.Offending line is here: https://github.com/dotansimha/graphql-code-generator/blob/master/packages/graphql-codegen-cli/package.json#L61
Your Example Website or App
n/a
Steps to Reproduce the Bug or Issue
Doesn't require a reproduction, as this is strictly a dependency update.
Expected behavior
A reasonably updated version of
cosmiconfig
and other dependencies would be used.Screenshots or Videos
No response
Platform
graphql
version: 15+@graphql-codegen/*
version(s): 3.3.1Codegen Config File
No response
Additional context
No response
The text was updated successfully, but these errors were encountered: