GMS-2020-278: Insecure Default Configuration in graphql-code-generator

September 2, 2020

Versions of graphql-code-generator have an Insecure Default Configuration. The packages sets NODE_TLS_REJECT_UNAUTHORIZED to 0, disabling certificate verification for the entire project. This results in Insecure Communication for the process.

References

github.com/advisories/GHSA-9w87-4j72-gcv7
github.com/dotansimha/graphql-code-generator/issues/1806
www.npmjs.com/advisories/834

Detect and mitigate GMS-2020-278 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →