Vulnerabilities in node_modules

[jujusa]

Report

We've recently added an OWASP vulnerability analysis step to our CI pipelines using DependencyCheck, and it reported two known vulnerabilities in some dependencies of Apollo. Looks like they are related to the JS components so please let me know if there is a better repo to report this to.

1. Lodash (4.17.20) found in Pods/Apollo/scripts/apollo/node_modules/lodash/package.json CVE-2020-28500, CVE-2021-23337
2. jQuery (2.1.1) found in Pods/Apollo/scripts/apollo/node_modules/await-to-js/dist/docs/assets/js/main.js CVE-2015-9251, CVE-2019-11358, CVE-2020-11022, CVE-2020-11023

I found a similar issue that was raised in the past here #439

Would it be possible to bump versions for those dependencies so they are not flagged? I'm not a JS expert so not sure how much effort it would be.

Versions

• apollo-ios SDK version: 0.42.0
• dependency-check version: 6.0.5

Steps to reproduce

1. Pod install
2. Build workspace in Xcode
3. Run dependency-check

[designatednerd]

Those issues would be happening in the apollo-tooling repo rather than here, though I'd need to update the version of apollo-tooling we're using from the iOS repo to ensure those changes get propagated. It looks like that repo doesn't presently have any warnings on it, but we may need to do a patch release to get all the merged dependency fixes in.

[jujusa]

Thank you so much for your quick reply @designatednerd, I have now raised this within the tooling project 🙇

[designatednerd]

Updated version of the CLI will go out with the next minor release (probably tomorrow)

[jujusa]

Thank you for the update. Can't wait to try it 🙂

[AnthonyMDev]

This version has been released!