raml-1-parser has these vulnerable dependencies:
- json-ptr before 2.1.0 has an arbitrary code executsation vulnerability https://nvd.nist.gov/vuln/detail/CVE-2020-7766
- underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function: https://nvd.nist.gov/vuln/detail/CVE-2021-23358
- xmldom before 0.5.0 allows maliciously crafted documents to make unexpected syntactic changes during XML processing https://nvd.nist.gov/vuln/detail/CVE-2021-21366
raml-1-parser is no longer maintained: https://www.npmjs.com/package/raml-1-parser
Use "resolutions" section in package.json to bump the dependencies to fixed versions.
In addition "yarn upgrade" yarn.lock. This enforces fixed versions and also signals GitHub's dependabot that mod-graphql no longer has potential security issues.