fix(deps): update dependency @apollo/server to v4.11.2 #503
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
renovate
bot
force-pushed
the
renovate/apollo-graphql-packages
branch
from
d0e4bd1 to
f6a5050
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/apollo-graphql-packages
branch
from
f6a5050 to
65a861e
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/apollo-graphql-packages
branch
from
65a861e to
8257cac
Compare
renovate
bot
force-pushed
the
renovate/apollo-graphql-packages
branch
from
8257cac to
db9c83b
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/apollo-graphql-packages
branch
from
db9c83b to
6c8c802
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/apollo-graphql-packages
branch
from
6c8c802 to
c58d795
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
4.10.2->4.11.2Release Notes
apollographql/apollo-server (@apollo/server)
v4.11.2Compare Source
(No change; there is a change to the
@apollo/server-integration-testsuiteused to test integrations, and the two packages always have matching versions.)v4.11.1Compare Source
Patch Changes
#7952
bb81b2cThanks @glasser! - Upgrade dependencies so that automated scans don't detect a vulnerability.@apollo/serverdepends onexpresswhich depends oncookie. Versions ofexpressolder than v4.21.1 depend on a version ofcookievulnerable to CVE-2024-47764. Users of olderexpressversions who callres.cookie()orres.clearCookie()may be vulnerable to this issue.However, Apollo Server does not call this function directly, and it does not expose any object to user code that allows TypeScript users to call this function without an unsafe cast.
The only way that this direct dependency can cause a vulnerability for users of Apollo Server is if you call
startStandaloneServerwith a context function that calls Express-specific methods such asres.cookie()orres.clearCookies()on the response object, which is a violation of the TypeScript types provided bystartStandaloneServer(which only promise that the response object is a core Node.jshttp.ServerResponserather than the Express-specific subclass). So this vulnerability can only affect Apollo Server users who use unsafe JavaScript or unsafeastypecasts in TypeScript.However, this upgrade will at least prevent vulnerability scanners from alerting you to this dependency, and we encourage all Express users to upgrade their project's own
expressdependency to v4.21.1 or newer.v4.11.0Compare Source
Minor Changes
#7916
4686454Thanks @andrewmcgivery! - AddhideSchemaDetailsFromClientErrorsoption to ApolloServer to allow hiding 'did you mean' suggestions from validation errors.Even with introspection disabled, it is possible to "fuzzy test" a graph manually or with automated tools to try to determine the shape of your schema. This is accomplished by taking advantage of the default behavior where a misspelt field in an operation
will be met with a validation error that includes a helpful "did you mean" as part of the error text.
For example, with this option set to
true, an error would readCannot query field "help" on type "Query".whereas with this option set tofalseit would readCannot query field "help" on type "Query". Did you mean "hello"?.We recommend enabling this option in production to avoid leaking information about your schema to malicious actors.
To enable, set this option to
truein yourApolloServeroptions:v4.10.5Compare Source
Patch Changes
#7821
b2e15e7Thanks @renovate! - Non-major dependency updates#7900
86d7111Thanks @trevor-scheer! - Inline a small dependency that was causing build issues for ESM projectsv4.10.4Compare Source
Patch Changes
18a3827Thanks @tninesling! - Subscription heartbeats are initialized prior to awaiting subscribe(). This allows long-running setup to happen in the returned Promise without the subscription being terminated prior to resolution.v4.10.3Compare Source
Patch Changes
5f335a5Thanks @tninesling! - Catch errors thrown by subscription generators, and gracefully clean up the subscription instead of crashing.Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.