Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Upgrade graphql-tag from 2.11.0 to 2.12.1 #11

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Upgrade graphql-tag from 2.11.0 to 2.12.1 #11

wants to merge 1 commit into from

Conversation

snyk-bot
Copy link

Snyk has created this PR to upgrade graphql-tag from 2.11.0 to 2.12.1.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

  • The recommended version is 2 versions ahead of your current version.
  • The recommended version was released 2 months ago, on 2021-02-12.
Release notes
Package name: graphql-tag
  • 2.12.1 - 2021-02-12

    Bump npm version to 2.12.1.

  • 2.12.0 - 2021-01-29

    Bump npm version to 2.12.0.

  • 2.11.0 - 2020-07-28
    • package.json sideEffects changes to clearly identify that graphql-tag doesn't have side effects.
      @ hwillson in #313
from graphql-tag GitHub release notes
Commit messages
Package name: graphql-tag

Compare

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

@mistaken-pull-closer
Copy link

Thanks for your submission.

It appears that you've created a pull request using one of our repository's branches. Since this is
almost always a mistake, we're going to go ahead and close this. If it was intentional, please
let us know what you were intending and we can see about reopening it.

Thanks again!

@mistaken-pull-closer mistaken-pull-closer bot added the invalid This doesn't seem right label Mar 28, 2021
@pull-dog
Copy link

pull-dog bot commented Mar 28, 2021
edited

*Ruff* 🐶 The test environment for this pull request has been destroyed 💥 This may have happened explicitly via a command, because the environment expired, or because the pull request was closed.

What is this?

Pull Dog is a GitHub app that makes test environments for your pull requests using Docker, from a docker-compose.yml file you specify. It takes 19 seconds to set up (we counted!) and there's a free plan available.

Visit our website to learn more.

Commands
  • @pull-dog up to reprovision or provision the server.
  • @pull-dog down to delete the provisioned server.
Troubleshooting

Need help? Don't hesitate to file an issue in our repository

Configuration

{
  "isLazy": false,
  "dockerComposeYmlFilePaths": [
    "docker-compose.yml"
  ],
  "expiry": "00:00:00",
  "conversationMode": "singleComment"
}

Trace ID
No trace ID

@guardrails
Copy link

guardrails bot commented Mar 28, 2021

⚠️ We detected security issues in this pull request:
Mode: paranoid | Total findings: 82 | Considered vulnerability: 0

Hard-Coded Secrets (16)

graphql-tools/packages/loaders/prisma/src/prisma-yml/Cluster.ts

Line 41 in a797d98

this.clusterSecret = clusterSecret;

graphql-tools/packages/loaders/prisma/src/prisma-yml/Cluster.ts

Line 77 in a797d98

const secret = process.env.PRISMA_MANAGEMENT_API_SECRET || this.clusterSecret;

graphql-tools/packages/loaders/prisma/src/prisma-yml/Cluster.ts

Line 276 in a797d98

clusterSecret: this.clusterSecret,

graphql-tools/packages/loaders/prisma/src/prisma-yml/Environment.test.ts

Line 51 in a797d98

clusterSecret: 'here-is-a-token'

graphql-tools/packages/loaders/prisma/src/prisma-yml/Environment.ts

Line 258 in a797d98

clusterSecret: cluster.clusterSecret,

graphql-tools/packages/loaders/prisma/src/prisma-yml/PrismaDefinition.test.ts

Line 14 in a797d98

clusterSecret: 'here-is-a-token'

graphql-tools/packages/loaders/prisma/src/prisma-yml/PrismaDefinition.test.ts

Line 79 in a797d98

const secret = 'this-is-a-long-secret';

graphql-tools/packages/loaders/prisma/src/prisma-yml/PrismaDefinition.test.ts

Line 80 in a797d98

process.env.MY_TEST_SECRET = secret;

graphql-tools/packages/loaders/prisma/src/prisma-yml/PrismaDefinition.test.ts

Line 165 in a797d98

MY_INJECTED_ENV_SECRET: 'some-secret',

graphql-tools/packages/loaders/prisma/src/prisma-yml/PrismaDefinition.test.ts

Line 206 in a797d98

GRAPHCOOL_SECRET: 'this-is-secret',

graphql-tools/packages/loaders/prisma/src/prisma-yml/PrismaDefinition.test.ts

Line 247 in a797d98

fs.writeFileSync(envPath, `MY_DOT_ENV_SECRET=this-is-very-secret,and-comma,seperated`);

graphql-tools/packages/loaders/prisma/src/prisma-yml/__snapshots__/Environment.test.ts.snap

Line 127 in a797d98

"clusterSecret": "",

graphql-tools/packages/loaders/prisma/src/prisma-yml/__snapshots__/Environment.test.ts.snap

Line 150 in a797d98

"clusterSecret": undefined,

graphql-tools/packages/loaders/prisma/src/prisma-yml/__snapshots__/PrismaDefinition.test.ts.snap

Line 127 in a797d98

"clusterSecret": "",

graphql-tools/packages/loaders/prisma/src/prisma-yml/__snapshots__/PrismaDefinition.test.ts.snap

Line 150 in a797d98

"clusterSecret": undefined,

graphql-tools/website/docusaurus.config.js

Line 42 in a797d98

apiKey: '811d453fc7f80306044dd5cc4b87e064',

More info on how to fix Hard-Coded Secrets in General.

Insecure Use of Dangerous Function (12)

graphql-tools/jest.config.js

Line 7 in a797d98

const tsconfig = require(TSCONFIG);

graphql-tools/scripts/build-api-docs.js

Line 5 in a797d98

const { execSync } = require('child_process');

graphql-tools/scripts/build-api-docs.js

Line 34 in a797d98

const packageJsonContent = require(path.join(__dirname, '..', packageJsonPath));

graphql-tools/scripts/canary-release.js

Line 3 in a797d98

const cp = require('child_process');

graphql-tools/scripts/match-graphql.js

Line 7 in a797d98

const pkg = require(pkgPath);

graphql-tools/packages/load-files/src/index.ts

Line 223 in a797d98

const extractExports = execOptions.extractExports || DEFAULT_EXTRACT_EXPORTS_FACTORY(execOptions.exportNames);

graphql-tools/packages/loaders/code-file/src/index.ts

Line 156 in a797d98

if (options && options.require) {

graphql-tools/packages/loaders/code-file/src/load-from-module.ts

Line 25 in a797d98


graphql-tools/packages/loaders/module/src/index.ts

Line 128 in a797d98


graphql-tools/packages/loaders/url/src/index.ts

Line 53 in a797d98

const asyncImport: AsyncImportFn = (moduleName: string) => import(moduleName);

graphql-tools/packages/node-require/test/node-require.spec.ts

Line 8 in a797d98

const filePath = './fixtures/test.graphql';

graphql-tools/packages/webpack-loader/tests/loader.test.ts

Line 32 in a797d98

// eslint-disable-next-line no-eval

More info on how to fix Insecure Use of Dangerous Function in Javascript and Typescript.

Insecure File Management (33)

graphql-tools/scripts/build-api-docs.js

Line 74 in a797d98

const contents = await fsPromises.readFile(filePath, 'utf-8');

graphql-tools/scripts/build-api-docs.js

Line 82 in a797d98

await fsPromises.writeFile(filePath, contentsTrimmed);

graphql-tools/scripts/build-api-docs.js

Line 86 in a797d98

const lsStat = await fsPromises.lstat(filePath);

graphql-tools/scripts/build-api-docs.js

Line 90 in a797d98

const filesInDirectory = await fsPromises.readdir(filePath);

graphql-tools/scripts/build-api-docs.js

Line 111 in a797d98

const ifExists = await fsPromises

graphql-tools/scripts/build-api-docs.js

Line 120 in a797d98

const oldContent = fs.readFileSync(filePath, 'utf-8');

graphql-tools/scripts/build-api-docs.js

Line 130 in a797d98

await fsPromises.writeFile(filePath, finalContent);

graphql-tools/scripts/build-api-docs.js

Line 134 in a797d98

fs.writeFileSync(

graphql-tools/scripts/build-api-docs.js

Line 168 in a797d98

const filesInDirectory = fs.readdirSync(dirName);

graphql-tools/scripts/build-api-docs.js

Line 172 in a797d98

const fileLstat = fs.lstatSync(absoluteFilePath);

graphql-tools/packages/import/tests/schema/import-schema.spec.ts

Line 142 in a797d98

const moduleDir = 'node_modules/graphql-import-test';

graphql-tools/packages/import/tests/schema/import-schema.spec.ts

Line 143 in a797d98

if (!fs.existsSync(moduleDir)) {

graphql-tools/packages/import/tests/schema/import-schema.spec.ts

Line 146 in a797d98


graphql-tools/packages/import/tests/schema/import-schema.spec.ts

Line 147 in a797d98

fs.writeFileSync(moduleDir + '/b.graphql', b);

graphql-tools/packages/loaders/prisma/src/prisma-yml/Environment.test.ts

Line 25 in a797d98

env.saveGlobalRC();

graphql-tools/packages/loaders/prisma/src/prisma-yml/Environment.ts

Line 36 in a797d98

this.rcPath = path.join(this.home, '.prisma/config.yml');

graphql-tools/packages/loaders/prisma/src/prisma-yml/Environment.ts

Line 186 in a797d98

const rcString = yaml.dump(JSON.parse(JSON.stringify(rc)));

graphql-tools/packages/loaders/prisma/src/prisma-yml/Environment.ts

Line 197 in a797d98

fs.accessSync(this.rcPath);

graphql-tools/packages/loaders/prisma/src/prisma-yml/PrismaDefinition.test.ts

Line 30 in a797d98


graphql-tools/packages/loaders/prisma/src/prisma-yml/PrismaDefinition.test.ts

Line 31 in a797d98

fs.writeFileSync(modelPath, datamodel);

graphql-tools/packages/loaders/prisma/src/prisma-yml/PrismaDefinition.test.ts

Line 131 in a797d98


graphql-tools/packages/loaders/prisma/src/prisma-yml/PrismaDefinition.test.ts

Line 132 in a797d98

fs.mkdirSync(path.dirname(envPath), { recursive: true });

graphql-tools/packages/loaders/prisma/src/prisma-yml/PrismaDefinition.test.ts

Line 208 in a797d98


graphql-tools/packages/loaders/prisma/src/prisma-yml/PrismaDefinition.test.ts

Line 209 in a797d98

fs.writeFileSync(modelPath, datamodel);

graphql-tools/packages/loaders/prisma/src/prisma-yml/PrismaDefinition.test.ts

Line 245 in a797d98


graphql-tools/packages/loaders/prisma/src/prisma-yml/PrismaDefinition.test.ts

Line 246 in a797d98

fs.mkdirSync(path.dirname(envPath), { recursive: true });

graphql-tools/packages/loaders/prisma/src/prisma-yml/PrismaDefinition.ts

Line 92 in a797d98

this.rawJson = rawJson;

graphql-tools/packages/loaders/prisma/src/prisma-yml/PrismaDefinition.ts

Line 261 in a797d98

fs.accessSync(typesPath);

graphql-tools/packages/loaders/prisma/src/prisma-yml/PrismaDefinition.ts

Line 307 in a797d98

}

graphql-tools/packages/loaders/prisma/src/prisma-yml/PrismaDefinition.ts

Line 323 in a797d98

this.definitionString = replaceYamlValue(this.definitionString, 'endpoint', newEndpoint);

graphql-tools/packages/loaders/prisma/src/prisma-yml/PrismaDefinition.ts

Line 328 in a797d98

this.definitionString += `\ndatamodel: ${datamodel}`;

graphql-tools/packages/loaders/prisma/src/prisma-yml/test/getTmpDir.ts

Line 9 in a797d98

const dir = path.join(os.tmpdir(), cuid() + '/');

graphql-tools/packages/loaders/prisma/src/prisma-yml/yaml.ts

Line 21 in a797d98

}

More info on how to fix Insecure File Management in Javascript and Typescript.

Insecure Use of Crypto (13)

graphql-tools/packages/batch-delegate/tests/typeMerging.example.test.ts

Line 199 in a797d98

User: {

graphql-tools/packages/batch-delegate/tests/typeMerging.example.test.ts

Line 200 in a797d98

reviews: (user) => reviews.filter(review => review.authorId === user.id),

graphql-tools/packages/loaders/prisma/src/prisma-yml/Environment.ts

Line 251 in a797d98

return this.clusters

graphql-tools/packages/stitch/src/typeFromAST.ts

Line 207 in a797d98

token != null &&

graphql-tools/packages/stitch/src/typeFromAST.ts

Line 211 in a797d98

token.line + 1 === token.next.line &&

graphql-tools/packages/stitch/tests/typeMergingWithDirectives.test.ts

Line 281 in a797d98

User: {

graphql-tools/packages/stitch/tests/typeMergingWithDirectives.test.ts

Line 282 in a797d98

reviews: (user) => reviews.filter(review => review.authorId === user.id),

graphql-tools/packages/stitch/tests/typeMergingWithExtensions.test.ts

Line 295 in a797d98

type: GraphQLInt,

graphql-tools/packages/stitch/tests/typeMergingWithExtensions.test.ts

Line 299 in a797d98

type: new GraphQLList(reviewsSchemaTypes.Review),

graphql-tools/packages/stitch/tests/typeMergingWithInterfaces.test.ts

Line 270 in a797d98

User: {

graphql-tools/packages/stitch/tests/typeMergingWithInterfaces.test.ts

Line 271 in a797d98

reviews: (user) => reviews.filter(review => review.authorId === user.id),

graphql-tools/packages/utils/src/parse-graphql-sdl.ts

Line 64 in a797d98

token != null &&

graphql-tools/packages/utils/src/parse-graphql-sdl.ts

Line 68 in a797d98

token.line + 1 === token.next.line &&

More info on how to fix Insecure Use of Crypto in Typescript.

Insecure Access Control (5)

graphql-tools/packages/load/src/utils/helpers.ts

Line 35 in a797d98

return function next() {

graphql-tools/packages/load/src/utils/helpers.ts

Line 39 in a797d98


graphql-tools/packages/utils/src/visitSchema.ts

Line 71 in a797d98

if (isSchemaVisitor(visitorOrVisitorDef)) {

graphql-tools/packages/wrap/src/transforms/HoistField.ts

Line 75 in a797d98

field.args.forEach(arg => {

graphql-tools/packages/wrap/src/transforms/HoistField.ts

Line 129 in a797d98

} as GraphQLArgument;

More info on how to fix Insecure Access Control in Typescript.

Insecure Use of Regular Expressions (3)

graphql-tools/packages/stitching-directives/src/parseMergeArgsExpr.ts

Line 43 in a797d98


graphql-tools/packages/stitching-directives/src/stitchingDirectivesValidator.ts

Line 19 in a797d98


graphql-tools/packages/webpack-loader/src/index.ts

Line 67 in a797d98

More info on how to fix Insecure Use of Regular Expressions in Typescript.

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@snyk-bot snyk-bot

@kadirselcuk kadirselcuk

Labels
⤵️ pull bug Something isn't working dependencies documentation Improvements or additions to documentation enhancement New feature or request good first issue Good for newcomers invalid This doesn't seem right question Further information is requested
Projects
None yet
Milestone
No milestone
1 participant
@snyk-bot