New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security Issue - CVE-2022-25645 - Node module dset
#2256
Comments
Specifically, CVE-2022-25645 is described at https://security.snyk.io/vuln/SNYK-JS-DSET-2330881 |
@ThanujV thanks, I should've addressed this sooner! Note that in order to be vulnerable, you must be using I will review with our security team to see if an advisory is needed. @dotansimha noticing that url-loader is using |
I'll raise switching to |
Hmm, I don't know if it's a 1:1 parity of behavior though. The cypress suite caught some potential issues I didn't see with manual testing of the webpack build. Looks like deferred queries don't work with this approach. I hope to merge a fix tonight https://github.com/graphql/graphiql/runs/5738853923?check_suite_focus=true#step:5:225 Update: I was wrong, i think |
released a patch fix! |
I think you may need to provide a custom merge function as setting merge = true according to docs for set-value seems to only perform a shallow merge which is probably not enough. I actually didn't check to see how setvalue works and how it's being used, but just thinking about overlapping deferred fragments, it seems that you would need deep merging. Also, out of curiosity, why is set-value not vulnerable to the same concern? Is there no CVE for it yet or did they solve something differently? Can dset be patched rather than discarded? Is there a link to separate discussion about that? |
@yaacovCR I created a PR for addressing this: lukeed/dset#34 |
@yaacovCR we have a cypress test that proves this works, I think? You can always just modify the tests to prove it doesnt! it actually failed until i added |
This has been fixed in |
There is currently CVE open for the module
dset
for the following problem:This affect graphiql on the following line - which is affected as it uses
dset/merge
as the imported module:Would it be possible to migrate away from
dset
soon?The text was updated successfully, but these errors were encountered: