Upgrade vulnerable dependency

[bencehornak]

There is a severe vulnerability in one of the packages transitive dependencies. Output of npm audit:

node-fetch  <2.6.7
Severity: high
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor - https://github.com/advisories/GHSA-r683-j2x4-v87g
No fix available
node_modules/@firebase/firestore/node_modules/node-fetch
node_modules/@firebase/functions/node_modules/node-fetch
node_modules/@firebase/storage/node_modules/node-fetch
node_modules/cross-fetch/node_modules/node-fetch
  @firebase/firestore  <=0.0.900-exp.f919db6a9 || 1.16.2-20206244562 - 1.16.2-canary.f1299756 || >=1.16.3-20206291717
  Depends on vulnerable versions of node-fetch
  node_modules/@firebase/firestore
    firebase  0.800.3 - 0.900.25 || 7.9.1-0 - 7.9.1-canary.0396117e || 7.17.1-20206244562 - 7.17.1-canary.f1299756 || >=7.17.2-20206291717
    Depends on vulnerable versions of @firebase/firestore
    Depends on vulnerable versions of @firebase/functions
    Depends on vulnerable versions of @firebase/storage
    node_modules/firebase
  @firebase/functions  <=0.0.900-exp.f919db6a9 || 0.4.51-202088235442 - 0.4.51-eap-auth-emulator.df41ee388 || >=0.5.0-20209118324
  Depends on vulnerable versions of node-fetch
  node_modules/@firebase/functions
  @firebase/storage  <=0.0.900-exp.f43d0c698 || 0.5.5-202151602035 - 0.5.5-canary.f6e1645ef || 0.5.6-20216122160 - 0.9.1
  Depends on vulnerable versions of node-fetch
  node_modules/@firebase/storage
  cross-fetch  <=3.1.4 || >=3.2.0-alpha.0
  Depends on vulnerable versions of node-fetch
  node_modules/cross-fetch
    prismic-javascript  1.5.0-beta.0 - 2.7.1
    Depends on vulnerable versions of cross-fetch
    node_modules/prismic-javascript
      apollo-link-prismic  *
      Depends on vulnerable versions of prismic-javascript
      node_modules/apollo-link-prismic

Since prismic-javascript is deprecated and is not expected to receive any updates or fixes according to your deprecation notice, it means that you have to replace the prismic-javascript dependency with @prismicio/client.

Thanks for your help!

[angeloashmore]

Hi @bencehornak, thanks for the heads up! I'm in the process of refreshing this package to use the latest version of all dependencies, including @prismicio/client.

You can track progress in the aa/refresh branch.

I'll post here once the refreshed version is available.

[bencehornak]

@angeloashmore is there a timeline to release your changes?

[angeloashmore]

@bencehornak I plan to publish an alpha version soon.

I'm running into an issue where invalid queries throw CORS errors rather than return the error to the client. Once that's resolved, I'll publish an alpha version so it can be tested in the wild. :)

[bencehornak]

Hey @angeloashmore, did you figure out the CORS errors?

Sorry for being pushy, I'd just like to remove the severe vulnerability from our prod app ASAP.

[bencehornak]

@angeloashmore did you manage to work around the CORS errors?

[angeloashmore]

Hey @bencehornak, thanks for your patience on this. I know this has been taking a while to get out. Yes, the CORS issue was resolved on Friday last week.

A PR with all changes was opened here: #40

I was about to publish an alpha for you to try, but I was blocked since I don't have access to the npm package. As soon as I have access, I will publish an alpha and, if it works for you, I will publish it as the latest version.

Thank you again @bencehornak!

[bencehornak]

Hey @angeloashmore, thanks for the great work, I'm looking forward to the release!

[angeloashmore]

@bencehornak I have publish access now! Could you try this release out and let me know the following?

1. Does it upgrade resolve the vulnerability issue you were seeing? All dependencies have been updated to the latest version.
2. Does your project continue to work as it did before? There should be no breaking changes as part of the upgrade.

You can upgrade your project with the following command:

npm i --save apollo-link-prismic@alpha

Although code changes are not required as part of the upgrade, I recommend making two changes:

1. Replace PrismicLink(...) with createPrismicLink(...). This is a just a function rename to match Apollo's createHttpLink() function.
2. Replace the uri option with repositoryName.

With these changes, creating the link should look like the following:

import { ApolloClient, InMemoryCache } from "@apollo/client";
import { createPrismicLink } from "apollo-link-prismic";

const apolloClient = new ApolloClient({
	link: createPrismicLink({
		repositoryName: "YOUR_REPOSITORY_NAME",
		// Provide your access token if your repository is secured.
		accessToken: "YOUR_ACCESS_TOKEN",
	}),
	cache: new InMemoryCache(),
});

If everything works as expected, then I will publish this to latest for general use. Thanks!