@graphql-codegen/cli/.../cli@1.1.4-alpha-8b7cd3a4.0 vulnerabilities

  • latest version

    5.0.3

  • latest non vulnerable version

  • first published

    5 years ago

  • latest version published

    2 months ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the @graphql-codegen/cli package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Insecure Default Configuration

    @graphql-codegen/cli is a CLI client for GraphQL Code Generator which can be utilized to generates code out for GraphQL schema.

    Affected versions of this package are vulnerable to Insecure Default Configuration. The NODE_TLS_REJECT_UNAUTHORIZED environment variable is set to the value 0 in all versions of the package disabling certificate verification. This flaw can be exploited by a Man-in-the-middle (MiTM) attacker, resulting in an attacker able to view a victim's HTTPS traffic.

    It should be noted that during the release of graphql-code-generator version 1.1.0, the CLI component was amended to be a separate package "@graphql-codegen/cli".

    How to fix Insecure Default Configuration?

    Upgrade @graphql-codegen/cli to version 1.2.0 or higher.

    <1.2.0