Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DOMA-3959: Patch Dicer (keystone -> graphql-upload -> busboy -> dicer) #3815

Merged
merged 2 commits into from
Sep 7, 2023
Merged

DOMA-3959: Patch Dicer (keystone -> graphql-upload -> busboy -> dicer) #3815

merged 2 commits into from
Sep 7, 2023

Conversation

toplenboren
Copy link
Member

@toplenboren toplenboren commented Sep 4, 2023
edited
Loading

Problem:

We are using keystone-v5 in our open source condominium management software.

We recently encountered a bug, when keystone crashes while processing multipart requests. It seems that the issue might be related to the old versions of the dicer and busboy packages.

Our issue looks awfully similar to this security flaw: GHSA-wm7h-9275-46v2 and has already been fixed in the apollo-graphql v15.0.0 release.

Considering this, we decided to bump the dependency from 11.0.0 to version 15.0.2.

Solution:

This PR bumps grapnql-upload in whole project to 15.0.2, which has GHSA-wm7h-9275-46v2 fixed.

Implementation details

We do this using internal yarn functionality. Patches should be applied when you run yarn https://yarnpkg.com/cli/patch

  1. Fix graphql-upload version in root package.json
  2. Create patches that implement support for graphql-upload@15.*.* in Keystone:
  3. Fix "@keystonejs/keystone" and "@keystonejs/app-graphql" versions to the patched version
  "@keystonejs/keystone": "patch:@keystonejs/keystone@npm:19.3.4#.yarn/patches/@keystonejs-keystone-npm-19.3.4-2a53e53061.patch",
      "@keystonejs/app-graphql": "patch:@keystonejs/app-graphql@npm:6.3.2#.yarn/patches/@keystonejs-app-graphql-npm-6.3.2-26fe50b988.patch"

Caveats:

@toplenboren
fix(condo) DOMA-3959: change graphql-upload to 15.0.2,
a41d33a 
- create patches for @keystonejs/app-graphql, @keystonejs/keystone
- learn how to support patches using yarn
- write correct resolutions
- do minor updates
@toplenboren
fix(condo): DOMA-3959 fix importing of graphql-upload in internal mod…
3e9ad9a 
…ules
@sonarcloud
Copy link

sonarcloud bot commented Sep 4, 2023

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

@toplenboren toplenboren changed the title Patch dicer locally DOMA-3959: Patch Dicer (keystone -> graphql-upload -> busboy -> dicer) Sep 4, 2023
@toplenboren toplenboren merged commit 4ea3517 into master Sep 7, 2023
11 checks passed
@toplenboren toplenboren deleted the toplenboren-patch-dicer branch September 7, 2023 09:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pahaz pahaz pahaz approved these changes

@sitozzz sitozzz sitozzz approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@toplenboren @pahaz @sitozzz