Skip to content

fix(deps): update dependency graphql to v16 [security]#203

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-graphql-vulnerability
Open

fix(deps): update dependency graphql to v16 [security]#203
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-graphql-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Aug 6, 2024

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
graphql ^15.0.0^16.0.0 age confidence

graphql Uncontrolled Resource Consumption vulnerability

CVE-2023-26144 / GHSA-9pv7-vfvm-6vr7

More information

Details

Versions of the package graphql from 16.3.0 and before 16.8.1 are vulnerable to Denial of Service (DoS) due to insufficient checks in the OverlappingFieldsCanBeMergedRule.ts file when parsing large queries. This vulnerability allows an attacker to degrade system performance.

Note: It was not proven that this vulnerability can crash the process.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

graphql/graphql-js (graphql)

v16.8.1

Compare Source

v16.8.1 (2023-09-19)

Bug Fix 🐞
Committers: 1

v16.8.0

Compare Source

v16.8.0 (2023-08-14)

New Feature 🚀
Committers: 1

v16.7.1

Compare Source

v16.7.1 (2023-06-22)

📢 Big shout out to @​phryneas, who managed to reproduce this issue and come up with this fix.

Bug Fix 🐞
Committers: 1

v16.7.0

Compare Source

v16.7.0 (2023-06-21)

New Feature 🚀
Bug Fix 🐞
Committers: 3

v16.6.0

Compare Source

v16.6.0 (2022-08-16)
New Feature 🚀
Bug Fix 🐞
Committers: 2

v16.5.0

Compare Source

v16.5.0 (2022-05-09)

New Feature 🚀
Committers: 1

v16.4.0

Compare Source

v16.4.0 (2022-04-25)

New Feature 🚀
Bug Fix 🐞
Docs 📝
2 PRs were merged
Polish 💅
3 PRs were merged
Internal 🏠
26 PRs were merged
Dependency 📦
2 PRs were merged
Committers: 7

v16.3.0

Compare Source

v16.3.0 (2022-01-26)

New Feature 🚀
Bug Fix 🐞
Docs 📝
2 PRs were merged
Polish 💅
7 PRs were merged
Internal 🏠
5 PRs were merged
Dependency 📦
4 PRs were merged
Committers: 6

v16.2.0

Compare Source

v16.2.0 (2021-12-17)
New Feature 🚀
Docs 📝
Polish 💅
Internal 🏠
2 PRs were merged
Committers: 2

v16.1.0

Compare Source

v16.1.0 (2021-12-07)

New Feature 🚀
Bug Fix 🐞
Docs 📝
Polish 💅
9 PRs were merged
Internal 🏠
9 PRs were merged
Dependency 📦
4 PRs were merged
Committers: 5

v16.0.1

Compare Source

v16.0.1 (2021-11-01)

Bug Fix 🐞
Polish 💅
Internal 🏠
Committers: 1

v16.0.0

Compare Source

v16.0.0 (2021-10-28)
Breaking Change 💥
Deprecation ⚠
New Feature 🚀
Bug Fix 🐞
Docs 📝
5 PRs were merged
Polish 💅
119 PRs were merged

Note

PR body was truncated to here.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate/npm-graphql-vulnerability branch from 0409410 to 0baaa48 Compare August 10, 2025 14:57
@renovate renovate Bot force-pushed the renovate/npm-graphql-vulnerability branch from 0baaa48 to ecd0e3b Compare November 10, 2025 17:44
@renovate renovate Bot force-pushed the renovate/npm-graphql-vulnerability branch from ecd0e3b to ce6c901 Compare March 5, 2026 17:04
@renovate renovate Bot force-pushed the renovate/npm-graphql-vulnerability branch from ce6c901 to 2b96b3c Compare March 13, 2026 17:02
@renovate renovate Bot changed the title fix(deps): update dependency graphql to v16 [security] fix(deps): update dependency graphql to v16 [security] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot deleted the renovate/npm-graphql-vulnerability branch March 27, 2026 01:55
@renovate renovate Bot changed the title fix(deps): update dependency graphql to v16 [security] - autoclosed fix(deps): update dependency graphql to v16 [security] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-graphql-vulnerability branch 2 times, most recently from 2b96b3c to 8504f70 Compare March 30, 2026 17:29
@renovate renovate Bot changed the title fix(deps): update dependency graphql to v16 [security] fix(deps): update dependency graphql to v16 [security] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot changed the title fix(deps): update dependency graphql to v16 [security] - autoclosed fix(deps): update dependency graphql to v16 [security] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/npm-graphql-vulnerability branch from 8504f70 to 19162a4 Compare April 27, 2026 21:53
@renovate renovate Bot force-pushed the renovate/npm-graphql-vulnerability branch from 19162a4 to fc619f3 Compare May 12, 2026 17:28
@renovate renovate Bot force-pushed the renovate/npm-graphql-vulnerability branch from fc619f3 to 390206c Compare June 11, 2026 17:44

@orca-security-eu orca-security-eu Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Orca Security Scan Summary

Status Check Issues by priority
Passed Passed Infrastructure as Code high 0   medium 0   low 0   info 0 View in Orca
Passed Passed OSS Licenses high 0   medium 0   low 0   info 0 View in Orca
Passed Passed SAST high 0   medium 0   low 0   info 0 View in Orca
Passed Passed Secrets high 0   medium 0   low 0   info 0 View in Orca
Passed Passed Vulnerabilities high 0   medium 0   low 0   info 0 View in Orca

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants