Security vulnerability in transitive dependencies

[tapegram]

Issue workflow progress

Progress of the issue based on the
Contributor Workflow

• 1. The issue provides a reproduction available on GitHub, Stackblitz or CodeSandbox

  For example, you can start off by editng the
  'basic' example on Stackblitz.

  Please make sure the graphql-eslint version under package.json matches yours.

• 2. A failing test has been provided

• 3. A local solution has been provided

• 4. A pull request is pending review

---

Describe the bug

Dependabot is reporting a transitive dependency needs updating:

It would be great if graphql-eslint could update its dependencies on graphql-tools once they release their updates.

They updated their version of ws in the last week:

ardatan/graphql-tools#6273

To Reproduce Steps to reproduce the behavior:

Expected behavior

No more vulnerability in transitive dependencies!

Thanks!

[bxt]

It seems the a recent version (>5) of graphql-config does not have this dependency chain anymore, and it was already updated in 296f700 so a fresh release of @graphql-eslint/eslint-plugin would already resolve the issue, I think.

[alimony]

@dimaMachina What are the plans for a new release? The last release was almost a year ago.

[Lukeaber]

@dimaMachina @dotansimha Also seeing this issue also through npm, is it possible to get a release?

[lucasrmendonca]

Hi @comatory @dimaMachina, any plans for a new release to fix security vulnerabilities?

[EduardodaVeiga]

For the ones that needs it fixed without waiting for a new release, you can override the graphql-config version in the package.json since they have already fixed the issue. This will make the audit errors go away.

For yarn just add this to package.json :
"resolutions": { "@graphql-eslint/eslint-plugin/graphql-config": "5.0.0" }

For npm:
"overrides": { "@graphql-eslint/eslint-plugin": { "graphql-config": "5.0.0" } }

You will still get a warn saying the versions are incompatible, but the errors go away.