senbork created UNOMI-860:
-----------------------------
Summary: Depends on vulnerable versions of graphql-playground-react
Key: UNOMI-860
URL: https://issues.apache.org/jira/browse/UNOMI-860
Project: Apache Unomi
Issue Type: Bug
Affects Versions: unomi-2.5.0
Reporter: senbork
Fix For: unomi-2.5.0
*Hi, [~shuber]*
*Issue Description*
Project *_unomi_* *__* depends on a vulnerable JS package
*_"graphql-playground-react": "^1.7.27"_*
([CVE-2021-41249|[https://github.com/advisories/GHSA-59r9-6jp6-jcm7]]) in the
file {_}graphql/graphql-playground/package.json{_}. Since *_unomi_* is a
popular Java library ({*}Stars: 278{*}), which is directly or transitively
used by a large number of Maven projects. The downstream developers are hardly
aware of the potential security issues introduced by the cross-language
dependencies.
*Suggested Solution*
*_graphql-playground-react_* ** has fixed the vulnerability (CVE-2021-41249) in
its versions _>=_ _1.7.28_
Could you please upgrade the above *_graphql-playground-react_* package to
their patch versions {*}>={*}{_}1.7.28{_}?
Thanks a lot for your help.
**
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
