Hahn-Solo Product Management

Basic Information

Status

Open

Priority

Category

Security

Repo

Content SDK PM

Effort

Trivial

Task ID

T-9AFCE387

Details

Audit graphql-request Dependency

Verify that `graphql-request` ^6.1.0 (used in `core`) and `graphql` ^16.11.0 are free of known vulnerabilities. Check npm audit, Snyk, and GitHub Advisory Database. If vulnerabilities exist, bump or replace.

Why

`graphql-request` is the primary network layer for all Content SDK data fetching. A supply-chain vulnerability here affects every Content SDK consumer.

Evidence

`packages/core/package.json` dependencies; general supply-chain hygiene

Details

Context: `@sitecore-content-sdk/core` depends on `graphql-request` ^6.1.0 and `graphql` ^16.11.0 as its primary data-fetching layer. Every Content SDK consumer transitively depends on these packages. A supply-chain vulnerability in either would have broad blast radius across all Sitecore head apps.

Steps:

1. Run `npm audit --production` in `packages/core/`

2. Check `graphql-request` and `graphql` on Snyk vulnerability database and GitHub Advisory Database

3. If vulnerabilities found, bump to patched versions

4. If no vulnerabilities found, document the audit date in a comment or security log

Acceptance criteria:

No known vulnerabilities in `graphql-request` or `graphql` at the installed versions

Audit results documented

Risks: None identified.

Source Report

reports/product-management/content-sdk/2026-04-05-content-sdk-pm.md

Report date: Apr 5, 2026