Bump sha.js dependency to fix a vulnerability

constantin-me · August 22, 2025, 9:20am

Hey there Apollo Community

There’s an a vulnerable dependency in the @apollo/utils.createhash - npm package.

It uses sha.js@2.4.11 which is vulnerable report here: sha.js is missing type checks leading to hash rewind and passing on crafted data · CVE-2025-9288 · GitHub Advisory Database · GitHub

A fix is available by updating the sha.js dependency.

I’ve tried opening a PR, but well I was denied.

ERROR: Permission to apollographql/apollo-utils.git denied to constantin-melniciuc.
fatal: Could not read from remote repository.

Please make sure you have the correct access rightsand the repository exists.

To solve this locally for us, we just bumped the sha.js version in our own repository, but it’d be nice if this would come up fixed.

Thank you for your time.

Constantin

lenz · August 22, 2025, 1:04pm

I believe there’s no need for action here - that package has a dependency on ^2.4.11, not 2.4.11 - that means “anything in the range >=2.4.11 <3.0.0”.

Your package manager should be able to update to 2.4.12 just fine, and any future installation of @apollo/utils.createhash will end up using the latest, non-vulnerable version.

constantin-me · August 25, 2025, 8:22am

Sure, overrides work as well, but npm audit shows the apollo packages as critical vulnerability.

I’d say this is a must upgrade.

Thanks.

lenz · August 25, 2025, 11:10am

I just created a new project with this package.json

{
  "name": "test",
  "dependencies": {
    "@apollo/utils.createhash": "^3.0.1"
  }
}

Running the commands:

% npm i

added 32 packages, and audited 33 packages in 777ms

16 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

% npm audit
found 0 vulnerabilities

% npm why sha.js
sha.js@2.4.12
node_modules/sha.js
  sha.js@"^2.4.11" from @apollo/utils.createhash@3.0.1
  node_modules/@apollo/utils.createhash
    @apollo/utils.createhash@"^3.0.1" from the root project

% npm ls sha.js
test@ /tmp/test
└─┬ @apollo/utils.createhash@3.0.1
  └── sha.js@2.4.12

Npm behaves as expected, does not install the vulnerable version, and npm audit seems to take that on correctly.

Did you run npm update or npm update sha.js on your end before running npm audit?

constantin-me · August 25, 2025, 12:06pm

Hm… I did not do that. Didn’t know about it tbh.

Thank you for the suggestion.

Topic		Replies	Views
Malicious versions of axios npm package affecting @apollo/rover Other Apollo Topics security-notice	0	15	April 2, 2026
SuspenseCache doesn't exist on beta version? Other Apollo Topics	5	952	February 6, 2025
Tutorial error: "ajv-keywords@3.5.2 requires a peer of ajv@^6.9.1" Client SDKs client , web	5	2370	February 6, 2025
Step 1 of your Get Started fails Other Apollo Topics	1	277	February 6, 2025
`npm install` failing on latest master Client SDKs client , web	3	349	February 6, 2025

Bump sha.js dependency to fix a vulnerability

Related topics