Security News
The Dark Side of Open Source
At Node Congress, Socket CEO Feross Aboukhadijeh uncovers the darker aspects of open source, where applications that rely heavily on third-party dependencies can be exploited in supply chain attacks.
@apollographql/graphql-playground-html
Advanced tools
Readme
NOTE: This is a fork of graphql-playground-html
which is meant to be used by Apollo Server and only by Apollo Server. It is not intended to be used directly. Those looking to use GraphQL Playground directly can refer to the upstream repository for usage instructions.
SECURITY WARNING: Via the upstream fork, this package had a severe XSS Reflection attack vulnerability until version
1.6.25
of this package. While we have published a fix, users were only affected if they were using@apollographql/graphql-playground-html
directly as their own custom middleware. The direct usage of this package was never recommended as it provided no advantage over the upstream package in that regard. Users of Apollo Server who leverage this package automatically by the dependency declared within Apollo Sever were not affected since Apollo Server never provided dynamic facilities to customize playground options per request. Users of Apollo Server would have had to statically embedded very explicit vulnerabilities (e.g., using malicious, unescaped code,<script>
tags, etc.).
FAQs
GraphQL IDE for better development workflows (GraphQL Subscriptions, interactive docs & collaboration).
The npm package @apollographql/graphql-playground-html receives a total of 1,208,859 weekly downloads. As such, @apollographql/graphql-playground-html popularity was classified as popular.
We found that @apollographql/graphql-playground-html demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 6 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
At Node Congress, Socket CEO Feross Aboukhadijeh uncovers the darker aspects of open source, where applications that rely heavily on third-party dependencies can be exploited in supply chain attacks.
Research
Security News
The Socket Research team found this npm package includes code for collecting sensitive developer information, including your operating system username, Git username, and Git email.
Security News
OpenJS is warning of social engineering takeovers targeting open source projects after receiving a credible attempt on the foundation.