openapi-to-graphql icon indicating copy to clipboard operation
openapi-to-graphql copied to clipboard
verified publisher icon IBM

Security vulnerability in direct dependency json-ptr CVE-2021-23509

Open felix-hcl opened this issue 4 years ago • 0 comments

Describe the bug There is a security vulnerability reported in a direct dependency of openapi-to-graphql. https://nvd.nist.gov/vuln/detail/CVE-2021-23509 As far as I could see this only affects the set method and this package is only using the get method here https://github.com/IBM/openapi-to-graphql/blob/df660f9cacdec669286d00b92f262c3edbce48a8/packages/openapi-to-graphql/src/oas_3_tools.ts#L268-L270

To Reproduce Steps to reproduce the behavior:

  1. Go to a project where openapi-to-graphql is installed
  2. runnpm ls json-ptr
  3. There is a direct dependency in version 2.X

Expected behavior Although this vulnerability is not immediately exploitable this should be upgraded.

felix-hcl avatar Dec 19 '21 16:12 felix-hcl