Description
Version
5.0.6
Reproduction link
Environment info
@vue/cli 5.0.6 and 4.5.18
Steps to reproduce
An audit reports 7 instances of a high severity vulnerabilities in the dicer package dependency of busboy@0.3.1 which is a transient dependency of apollo-server@2.25.4 - which @vue/cli depends on (both versions 4 & 5).
dicer *
Severity: high
Crash in HeaderParser in dicer - https://github.com/advisories/GHSA-wm7h-9275-46v2
node_modules/dicer
busboy <=0.3.1
Depends on vulnerable versions of dicer
node_modules/busboy
@apollographql/graphql-upload-8-fork *
Depends on vulnerable versions of busboy
node_modules/@apollographql/graphql-upload-8-fork
apollo-server-core 2.21.0-alpha.0 - 2.25.4
Depends on vulnerable versions of @apollographql/graphql-upload-8-fork
node_modules/apollo-server-core
apollo-server-express 2.0.1 || 2.21.0-alpha.0 - 2.25.4
Depends on vulnerable versions of apollo-server-core
node_modules/apollo-server-express
@vue/cli-ui >=5.0.0-alpha.0
Depends on vulnerable versions of apollo-server-express
node_modules/@vue/cli-ui
@vue/cli >=5.0.0-alpha.0
Depends on vulnerable versions of @vue/cli-ui
node_modules/@vue/cli
7 high severity vulnerabilities
I've reported this to the apollo-server repo and their proposed solution is to use version 3 instead of 2 in @vue/cli
Please upgrade to AS3. AS4 is close to ready! AS2 ships with hardcoded integrations with many pieces of outdated and unmaintained software.
apollographql/apollo-server#6590
apollographql/apollo-server#6485
Is it possible to update Apollo Server to v3 to fix the vulnerabilities found in the transient dependency busboy / dicer of v2?
What is expected?
No security vulnerabilities should be reported in dependencies.
What is actually happening?
High severity vulnerability reports when auditing.