[
https://issues.apache.org/jira/browse/UNOMI-860?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Francois Gerthoffert reassigned UNOMI-860:
------------------------------------------
Assignee: Francois Gerthoffert
> Depends on vulnerable versions of graphql-playground-react
> ----------------------------------------------------------
>
> Key: UNOMI-860
> URL: https://issues.apache.org/jira/browse/UNOMI-860
> Project: Apache Unomi
> Issue Type: Bug
> Affects Versions: unomi-2.5.0
> Reporter: senbork
> Assignee: Francois Gerthoffert
> Priority: Critical
> Fix For: unomi-2.5.0
>
>
> *Hi, [~shuber]*
> *Issue Description*
> Project *_unomi_* *__* depends on a vulnerable JS package
> *_"graphql-playground-react": "^1.7.27"_*
> ([CVE-2021-41249|[https://github.com/advisories/GHSA-59r9-6jp6-jcm7]]) in the
> file {_}graphql/graphql-playground/package.json{_}. Since *_unomi_* is a
> popular Java library ({*}Stars: 278{*}), which is directly or transitively
> used by a large number of Maven projects. The downstream developers are
> hardly aware of the potential security issues introduced by the
> cross-language dependencies.
>
> *Suggested Solution*
> *_graphql-playground-react_* ** has fixed the vulnerability (CVE-2021-41249)
> in its versions _>=_ _1.7.28_
>
> Could you please upgrade the above *_graphql-playground-react_* package to
> their patch versions {*}>={*}{_}1.7.28{_}?
>
> Thanks a lot for your help.
> **
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
