Vulnerability: class-validator

[mdesousa]

This vulnerability just came up in our security reports: https://nvd.nist.gov/vuln/detail/CVE-2019-18413
It appears that there is a forbidUnknownValues optional setting that can be enabled to reduce the risk.
Is type-graphql using this option? Thanks

[MichalLytek]

class-validator is an optional feature and users are deciding if they want to use that and can provide their own global default options.

[mdesousa]

Thanks @MichalLytek ... fyi GitHub is reporting this as a critical severity: typestack/class-validator#438
The challenge is that class-validator itself is not an optional dependency... it appears that type-graphql itself is using it in the code.
How can we provide global default options?

[MichalLytek]

Everything is described in docs:
https://typegraphql.com/docs/validation.html

[mdesousa]

Ah perfect, thanks... we'll probably disable it.

[MichalLytek]

TypeGraphQL is not affected by this vulnerability because in GraphQL you can't pass additional properties like __proto__

[mvarendorff]

It turns out that the NestJS team has forked class-validator to @nestjs/class-validator. Maybe it's a good idea to reference that maintained and patched fork in the docs and code. I am certainly willing to provide a PR but I wasn't sure if it was as easy as just slapping @nestjs/ in front of every mention of class-validator.