CVE-2022-24434 Vulnerability in dependency of apollo-server-core

[eiiot]

@apollo-server-vercel depends on @apollographql/apollo-server-core 2.25.4 which depends on @apollographql/graphql-upload-8-fork, which depends on busboy <=0.3.1, which depends on a version of dicer which is vulnerable to a Denial of Service attack and has been assigned GHSA-wm7h-9275-46v2. The busboy maintainer has released a new busboy version 1.0.0 which removes the vulnerable dependency alltogether: mscdex/busboy#266. Unfortunately, @apollographql/graphql-upload-8-fork still depends on vulnerable busboy 0.3.1.

It looks as if this won't be fixed in @apollographql/graphql-upload-8-fork? See apollographql/apollo-server#6485

yarn audit v1.22.18
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Crash in HeaderParser in dicer                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ dicer                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @saeris/apollo-server-vercel                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @saeris/apollo-server-vercel > apollo-server-core >          │
│               │ @apollographql/graphql-upload-8-fork > busboy > dicer        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1070404                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
1 vulnerabilities found - Packages audited: 1262
Severity: 1 High

[Saeris]

This project is now deprecated as announced in #15. Thank you for the report though!