openapi-to-graphql uses outdated package "graphql-upload" which uses vulnerable package "dicer"

[florian-besser]

Description
According to https://security.snyk.io/vuln/SNYK-JS-DICER-2311764 the package dicer is vulnerable in all versions and should be replaced with an alternative.

To Reproduce

npm i openapi-to-graphql

Expected behavior
A version of graphql-upload >= 15.0.0 is used.
See release notes: https://github.com/jaydenseric/graphql-upload/releases/tag/v15.0.0 which mention the corresponding fix.

Actual behavior
This leads to the following chain being installed:

openapi-to-graphql@2.6.3 > graphql-upload@13.0.0 > busboy@0.3.1 > dicer@0.3.0

Additional context
I tried the following fixes to work around the issue:

1. Try lifting graphql-upload forcefully to 15.0.0 by using an override in package.json
   This lead to an error in openapi-to-graphql/dist/index.js:8:23), which tries to:

const graphqlUpload = require('graphql-upload');

With the new versions of we get the following error:

No "exports" main defined in /<path>/node_modules/graphql-upload/package.json

2. Forcing busboy to be >=1.0.0 by using an override in package.json.
   This seems to have solved the problem but I'm now left with the potential issues stemming from violating the dependencies of graphql-upload which is not prepared to work with such a new version of busboy.