Security vulnerability in dicer / busboy dependency of apollo-server 2.x used by @vue/cli #7198
Description
Version
5.0.6
Reproduction link
Environment info
@vue/cli 5.0.6 and 4.5.18 Steps to reproduce
An audit reports 7 instances of a high severity vulnerabilities in the dicer package dependency of busboy@0.3.1 which is a transient dependency of apollo-server@2.25.4 - which @vue/cli depends on (both versions 4 & 5).
dicer * Severity: high Crash in HeaderParser in dicer - https://github.com/advisories/GHSA-wm7h-9275-46v2 node_modules/dicer busboy <=0.3.1 Depends on vulnerable versions of dicer node_modules/busboy @apollographql/graphql-upload-8-fork * Depends on vulnerable versions of busboy node_modules/@apollographql/graphql-upload-8-fork apollo-server-core 2.21.0-alpha.0 - 2.25.4 Depends on vulnerable versions of @apollographql/graphql-upload-8-fork node_modules/apollo-server-core apollo-server-express 2.0.1 || 2.21.0-alpha.0 - 2.25.4 Depends on vulnerable versions of apollo-server-core node_modules/apollo-server-express @vue/cli-ui >=5.0.0-alpha.0 Depends on vulnerable versions of apollo-server-express node_modules/@vue/cli-ui @vue/cli >=5.0.0-alpha.0 Depends on vulnerable versions of @vue/cli-ui node_modules/@vue/cli 7 high severity vulnerabilities I've reported this to the apollo-server repo and their proposed solution is to use version 3 instead of 2 in @vue/cli
Please upgrade to AS3. AS4 is close to ready! AS2 ships with hardcoded integrations with many pieces of outdated and unmaintained software.
apollographql/apollo-server#6590
apollographql/apollo-server#6485
Is it possible to update Apollo Server to v3 to fix the vulnerabilities found in the transient dependency busboy / dicer of v2?
What is expected?
No security vulnerabilities should be reported in dependencies.
What is actually happening?
High severity vulnerability reports when auditing.