fix: Upgrade to latest version of graphql-codegen cli (#479)

JustinRatner · web-flow · commit 97061e6ce49d · 2026-04-20T15:47:15.000-07:00
## Summary From Brad Bunce > We're seeing 13 high-severity npm audit findings when using [@launchdarkly](https://launchdarkly.slack.com/team/UKEE4GBS6)/observability-node@1.1.0. They all trace back to lodash@4.17.21 pulled in through the @graphql-codegen/cli dependency chain: > > [@launchdarkly](https://launchdarkly.slack.com/team/UKEE4GBS6)/observability-node > → @graphql-codegen/cli > → @graphql-codegen/plugin-helpers > → lodash <=4.17.23 > The specific lodash advisories are: > > GHSA-r5fr-rjxr-66jc — Code injection via _.template > GHSA-f23m-r3pf-42rh — Prototype pollution via _.unset / _.omit > GHSA-xxjr-mmjv-4gpg — Prototype pollution in _.unset / _.omit > npm audit fix can't resolve these without downgrading [@launchdarkly](https://launchdarkly.slack.com/team/UKEE4GBS6)/observability-node to 0.1.0, which is a breaking change. The only consumer-side workaround is an overrides entry to force a patched lodash version, which carries compatibility risk. > > Could the @graphql-codegen dependencies in the observability-node package be updated to versions that no longer depend on vulnerable lodash? Appreciate any timeline or workaround guidance you can share. The latest version of graphql-codegen cli removed lodash as an unnecessary dependency. ## How did you test this change? Ran codegen of observability-node successfully  --- > [!NOTE] > **Low Risk** > Low risk because changes are confined to dev/build tooling (`graphql-codegen`) and lockfile updates, with no production runtime code modifications. > > **Overview** > Upgrades `@graphql-codegen/cli` from `^5.0.7` to `^6.3.1` for both `@launchdarkly/observability-node` and `@launchdarkly/observability-shared`, and moves it out of `observability-node` runtime `dependencies` into `devDependencies`. > > Regenerates `yarn.lock` to reflect the new codegen dependency tree (notably updating related `@graphql-codegen/*`, `@graphql-tools/*`, and `@babel/*` packages). > > <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit 425f432. Bugbot is set up for automated code reviews on this repo. Configure [here](https://www.cursor.com/dashboard/bugbot).</sup>
diff --git a/sdk/@launchdarkly/observability-node/package.json b/sdk/@launchdarkly/observability-node/package.json
@@ -29,7 +29,6 @@
 		"access": "public"
 	},
 	"dependencies": {
-		"@graphql-codegen/cli": "^5.0.7",
 		"@launchdarkly/node-server-sdk-otel": "^1.3.0",
 		"@prisma/instrumentation": ">=5.0.0",
 		"require-in-the-middle": "^7.4.0"
@@ -39,6 +38,7 @@
 		"@launchdarkly/node-server-sdk": "^9.9.2"
 	},
 	"devDependencies": {
+		"@graphql-codegen/cli": "^6.3.1",
 		"@launchdarkly/js-server-sdk-common": "^2.15.2",
 		"@launchdarkly/node-server-sdk": "^9.9.2",
 		"@opentelemetry/api": "^1.9.0",
diff --git a/sdk/@launchdarkly/observability-shared/package.json b/sdk/@launchdarkly/observability-shared/package.json
@@ -13,7 +13,7 @@
 		"test": "vitest run"
 	},
 	"devDependencies": {
-		"@graphql-codegen/cli": "^5.0.7",
+		"@graphql-codegen/cli": "^6.3.1",
 		"typescript": "^5.8.3",
 		"vitest": "^3.2.4"
 	},
diff --git a/yarn.lock b/yarn.lock
