anvilco / apollo-server-plugin-introspection-metadata Goto Github PK

Hello,

We are a user of spectaql which has this package as a dependency. Lodash.set is vulnerable to a "HIGH" severity prototype pollution issue. However, the package lodash.set is no longer updated. Could you please update to lodash 4.17.19 (or greater) and remove the dependency on lodash.set?

Links:

lodash.set vuln: GHSA-p6mc-m468-83gw
lodash.set hasn't been updated in 7 years: https://www.npmjs.com/package/lodash.set

Thank you!

Hi @newhouse ,

Thinking that maybe our node version is the problem here ?

tooling:

  "type": "module",
  "engines": {
    "node": "18.4.0",
    "yarn": "^1.22.19"
  },
  "dependencies": {
    "@anvilco/apollo-server-plugin-introspection-metadata": "^1.2.2",
    "@apollo/gateway": "2.1.1",
    "apollo-server": "^3.10.2",
    "apollo-server-core": "^3.10.1",
    "apollo-server-errors": "^3.3.1",
    "apollo-server-express": "^3.10.1",
    "express": "^4.18.1",
    "graphql": "^16.6.0",
    "spectaql": "^1.5.6",
}

using:

  plugins.push(
    IntrospectionMetadataPlugin({
      schemaMetadata: schemaMetadataByKind,
    }),
    ApolloServerPluginUsageReporting({
      fieldLevelInstrumentation: 0.5,
    }),
    createApolloPlugin(appsignal),
    ApolloServerPluginInlineTrace(),
    logPlugin
  );

getting below: