@apollographql/apollo-server-core 2.25.4 depends on @apollographql/graphql-upload-8-fork, which depends on busboy <=0.3.1, which depends on a version of dicer which is vulnerable to a Denial of Service attack and has been assigned CVE-2022-24434. The busboy maintainer has released a new busboy version 1.0.0 which removes the vulnerable dependency alltogether: mscdex/busboy#266. Unfortunately, @apollographql/graphql-upload-8-fork still depends on vulnerable busboy 0.3.1.
➜ demo-project git:(main) ✗ npm audit --only=prod
# npm audit report
dicer *
Severity: high
Crash in HeaderParser in dicer - https://github.com/advisories/GHSA-wm7h-9275-46v2
fix available via `npm audit fix --force`
Will install apollo-server-express@3.8.1, which is a breaking change
node_modules/dicer
busboy <=0.3.1
Depends on vulnerable versions of dicer
node_modules/busboy
@apollographql/graphql-upload-8-fork *
Depends on vulnerable versions of busboy
node_modules/@apollographql/graphql-upload-8-fork
apollo-server-core 2.21.0-alpha.0 - 2.25.4
Depends on vulnerable versions of @apollographql/graphql-upload-8-fork
node_modules/apollo-server-core
apollo-server-express 2.0.1 || 2.21.0-alpha.0 - 2.25.4
Depends on vulnerable versions of apollo-server-core
node_modules/apollo-server-express
5 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
@apollographql/apollo-server-core2.25.4 depends on@apollographql/graphql-upload-8-fork, which depends onbusboy<=0.3.1, which depends on a version ofdicerwhich is vulnerable to a Denial of Service attack and has been assigned CVE-2022-24434. Thebusboymaintainer has released a newbusboyversion 1.0.0 which removes the vulnerable dependency alltogether: mscdex/busboy#266. Unfortunately,@apollographql/graphql-upload-8-forkstill depends on vulnerable busboy 0.3.1.