Security vulnerability in dicer / busboy dependency of apollo-server 2.x used by @vue/cli

[lorand-horvath]

Version

5.0.6

Reproduction link

github.com

Environment info

@vue/cli 5.0.6 and 4.5.18

Steps to reproduce

An audit reports 7 instances of a high severity vulnerabilities in the dicer package dependency of busboy@0.3.1 which is a transient dependency of apollo-server@2.25.4 - which @vue/cli depends on (both versions 4 & 5).

dicer  *
Severity: high
Crash in HeaderParser in dicer - https://github.com/advisories/GHSA-wm7h-9275-46v2
node_modules/dicer
  busboy  <=0.3.1
  Depends on vulnerable versions of dicer
  node_modules/busboy
    @apollographql/graphql-upload-8-fork  *
    Depends on vulnerable versions of busboy
    node_modules/@apollographql/graphql-upload-8-fork
      apollo-server-core  2.21.0-alpha.0 - 2.25.4
      Depends on vulnerable versions of @apollographql/graphql-upload-8-fork
      node_modules/apollo-server-core
        apollo-server-express  2.0.1 || 2.21.0-alpha.0 - 2.25.4
        Depends on vulnerable versions of apollo-server-core
        node_modules/apollo-server-express
          @vue/cli-ui  >=5.0.0-alpha.0
          Depends on vulnerable versions of apollo-server-express
          node_modules/@vue/cli-ui
            @vue/cli  >=5.0.0-alpha.0
            Depends on vulnerable versions of @vue/cli-ui
            node_modules/@vue/cli

7 high severity vulnerabilities

I've reported this to the apollo-server repo and their proposed solution is to use version 3 instead of 2 in @vue/cli
Please upgrade to AS3. AS4 is close to ready! AS2 ships with hardcoded integrations with many pieces of outdated and unmaintained software.
apollographql/apollo-server#6590
apollographql/apollo-server#6485

Is it possible to update Apollo Server to v3 to fix the vulnerabilities found in the transient dependency busboy / dicer of v2?

What is expected?

No security vulnerabilities should be reported in dependencies.

What is actually happening?

High severity vulnerability reports when auditing.