@graphql-codegen/cli@1.1.4-alpha-a7fdafd6.16 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the @graphql-codegen/cli package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Insecure Default Configuration

@graphql-codegen/cli is a CLI client for GraphQL Code Generator which can be utilized to generates code out for GraphQL schema.

Affected versions of this package are vulnerable to Insecure Default Configuration. The NODE_TLS_REJECT_UNAUTHORIZED environment variable is set to the value 0 in all versions of the package disabling certificate verification. This flaw can be exploited by a Man-in-the-middle (MiTM) attacker, resulting in an attacker able to view a victim's HTTPS traffic.

It should be noted that during the release of graphql-code-generator version 1.1.0, the CLI component was amended to be a separate package "@graphql-codegen/cli".

How to fix Insecure Default Configuration?

Upgrade @graphql-codegen/cli to version 1.2.0 or higher.