Affected versions of this package are vulnerable to Information Exposure. It does not properly enforce validation rules when creating subscription servers, which includes a NoInstrospection rule for the Websocket. This leaks the GraphQL schema types, their relations and human-readable names.
Upgrade apollo-server-core to version 2.4.12 or higher.
node-fetch is an A light-weight module that brings window.fetch to node.js
Affected versions of this package are vulnerable to Denial of Service. Node Fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure.
Upgrade node-fetch to version 2.6.1, 3.0.0-beta.9 or higher.