- Updated dependencies [
18a3827
]:- @apollo/server@4.10.4
- Updated dependencies [
5f335a5
]:- @apollo/server@4.10.3
- Updated dependencies [
c7e514c
]:- @apollo/server@4.10.2
- Updated dependencies [
72f568e
]:- @apollo/server@4.10.1
- #7786
869ec98
Thanks @ganemone! - Restore missing v1skipValidation
option asdangerouslyDisableValidation
. Note that enabling this option exposes your server to potential security and unexpected runtime issues. Apollo will not support issues that arise as a result of using this option.
-
#7740
fe68c1b
Thanks @barnisanov! - Uninstalledbody-parser
and usedexpress
built-inbody-parser
functionality instead(mainly the json middleware) -
Updated dependencies [
869ec98
,9bd7748
,63dc50f
,fe68c1b
,e9a0d6e
]:- @apollo/server@4.10.0
-
#7717
681bdd0dc
Thanks @renovate! - Update graphql-http dependency -
Updated dependencies [
07585fe39
,4fac1628c
]:- @apollo/server@4.9.5
- Updated dependencies [
ddce036e1
]:- @apollo/server@4.9.4
- Updated dependencies [
a1c725eaf
]:- @apollo/server@4.9.3
- Updated dependencies [
62e7d940d
]:- @apollo/server@4.9.2
- Updated dependencies [
ebfde0007
]:- @apollo/server@4.9.1
-
#7659
4784f46fb
Thanks @renovate! - Update graphql-http dependency -
Updated dependencies [
4ff81ca50
,4784f46fb
]:- @apollo/server@4.9.0
-
#7636
42fc65cb2
Thanks @trevor-scheer! - Update test suite for compatibility with Node v20 -
Updated dependencies [
42fc65cb2
]:- @apollo/server@4.8.1
-
#7649
d33acdfdd
Thanks @mastrzyz! - Add missingsupertest
dependency -
#7632
64f8177ab
Thanks @renovate! - Update graphql-http dependency -
Updated dependencies [
f8a8ea08f
]:- @apollo/server@4.8.0
- Updated dependencies [
4fadf3ddc
]:- @apollo/cache-control-types@1.0.3
- @apollo/server@4.7.5
- @apollo/usage-reporting-protobuf@4.1.1
-
#7604
aeb511c7d
Thanks @renovate! - Updategraphql-http
dependency -
0adaf80d1
Thanks @trevor-scheer! - Address Content Security Policy issuesThe previous implementation of CSP nonces within the landing pages did not take full advantage of the security benefit of using them. Nonces should only be used once per request, whereas Apollo Server was generating one nonce and reusing it for the lifetime of the instance. The reuse of nonces degrades the security benefit of using them but does not pose a security risk on its own. The CSP provides a defense-in-depth measure against a potential XSS, so in the absence of a known XSS vulnerability there is likely no risk to the user.
The mentioned fix also coincidentally addresses an issue with using crypto functions on startup within Cloudflare Workers. Crypto functions are now called during requests only, which resolves the error that Cloudflare Workers were facing. A recent change introduced a
precomputedNonce
configuration option to mitigate this issue, but it was an incorrect approach given the nature of CSP nonces. This configuration option is now deprecated and should not be used for any reason since it suffers from the previously mentioned issue of reusing nonces.Additionally, this change adds other applicable CSPs for the scripts, styles, images, manifest, and iframes that the landing pages load.
A final consequence of this change is an extension of the
renderLandingPage
plugin hook. This hook can now return an object with anhtml
property which returns aPromise<string>
in addition to astring
(which was the only option before). -
Updated dependencies [
0adaf80d1
]:- @apollo/server@4.7.4
- Updated dependencies [
75b668d9e
]:- @apollo/server@4.7.3
- Updated dependencies [
c3f04d050
]:- @apollo/server@4.7.2
- Updated dependencies [
5d3c45be9
]:- @apollo/server@4.7.1
-
#7509
5c20aa02e
Thanks @renovate! - Updategraphql-http
dependency -
#7475
b9ac2d6b2
Thanks @renovate! - Update graphql-http dependency -
Updated dependencies [
22a5be934
]:- @apollo/server@4.7.0
-
#7454
f6e3ae021
Thanks @trevor-scheer! - Start building packages with TS 5.x, which should have no effect for users -
Updated dependencies [
1e808146a
,f6e3ae021
,e0db95b96
]:- @apollo/server@4.6.0
-
#7381
29038a4d3
Thanks @renovate! - Update graphql-http dependency -
Updated dependencies [
021460e95
]:- @apollo/usage-reporting-protobuf@4.1.0
- @apollo/server@4.4.1
- Updated dependencies [
f2d433b4f
]:- @apollo/server@4.4.0
-
#7338
01bc39838
Thanks @trevor-scheer! - Update graphql-http to 1.13.0 -
Updated dependencies [
9de18b34c
,8c635d104
]:- @apollo/server@4.3.3
-
#7316
37d884650
Thanks @renovate! - Update graphql-http dependency -
Updated dependencies [
f246ddb71
,e25cb58ff
]:- @apollo/server@4.3.2
-
#7285
35fa72bdd
Thanks @glasser! - Adds an integration test verifying that Rover's introspection query works. This should not break any integration that passes other tests. -
#7276
15c912f4c
Thanks @renovate! - Update graphql-http dependency -
Updated dependencies [
ec28b4b33
,322b5ebbc
,3b0ec8529
]:- @apollo/server@4.3.1
-
#7228
f97e55304
Thanks @dnalborczyk! - Improve compatibility with Cloudflare workers by avoiding the use of the Nodeurl
package. This change is intended to be a no-op. -
Updated dependencies [
3a4823e0d
,d057e2ffc
,f97e55304
,d7e9b9759
,d7e9b9759
]:- @apollo/server@4.3.0
-
#7203
2042ee761
Thanks @glasser! - Fix v4.2.0 (#7171) regression where"operationName": null
,"variables": null
, and"extensions": null
in POST bodies were improperly rejected. -
Updated dependencies [
2042ee761
]:- @apollo/server@4.2.2
-
#7187
3fd7b5f26
Thanks @trevor-scheer! - Update@apollo/utils.keyvaluecache
dependency to the latest patch which correctly specifies its version oflru-cache
. -
Updated dependencies [
3fd7b5f26
]:- @apollo/server@4.2.1
-
#7171
37b3b7fb5
Thanks @glasser! - If a POST body contains a non-stringoperationName
or a non-objectvariables
orextensions
, fail with status code 400 instead of ignoring the field.In addition to being a reasonable idea, this provides more compliance with the "GraphQL over HTTP" spec.
This is a backwards incompatible change, but we are still early in the Apollo Server 4 adoption cycle and this is in line with the change already made in Apollo Server 4 to reject requests providing
variables
orextensions
as strings. If this causes major problems for users who have already upgraded to Apollo Server 4 in production, we can consider reverting or partially reverting this change.
-
#7170
4ce738193
Thanks @trevor-scheer! - Update @apollo/utils packages to v2 (dropping node 12 support) -
#7179
c8129c23f
Thanks @renovate! - Fix a few tests to support (but not require) TypeScript 4.9. -
#7171
37b3b7fb5
Thanks @glasser! - The integration test suite now incorporates thegraphql-http
package's audit suite for the "GraphQL over HTTP" specification. -
#7183
46af8255c
Thanks @glasser! - Apollo Server tries to detect if execution errors are variable coercion errors in order to give them acode
extension ofBAD_USER_INPUT
rather thanINTERNAL_SERVER_ERROR
. Previously this would unconditionally set thecode
; now, it only sets thecode
if nocode
is already set, so that (for example) custom scalarparseValue
methods can throw errors with specificcode
s. (Note that a separate graphql-js bug can lead to these extensions being lost; see graphql/graphql-js#3785 for details.) -
Updated dependencies [
4ce738193
,37b3b7fb5
,b1548c1d6
,7ff96f533
,46af8255c
]:- @apollo/server@4.2.0
- Updated dependencies [
c835637be
]:- @apollo/server@4.1.1
-
2a2d1e3b4
Thanks @glasser! - Thecache-control
HTTP response header set by the cache control plugin now properly reflects the cache policy of all operations in a batched HTTP request. (If you write thecache-control
response header via a different mechanism to a format that the plugin would not produce, the plugin no longer writes the header.) For more information, see advisory GHSA-8r69-3cvp-wxc3. -
2a2d1e3b4
Thanks @glasser! - Plugins processing multiple operations in a batched HTTP request now have a sharedrequestContext.request.http
object. Changes to HTTP response headers and HTTP status code made by plugins operating on one operation can be immediately seen by plugins operating on other operations in the same HTTP request. -
2a2d1e3b4
Thanks @glasser! - New fieldGraphQLRequestContext.requestIsBatched
available to plugins. -
#7114
c1651bfac
Thanks @trevor-scheer! - Directly depend on Apollo Server rather than as a peer
-
#7080
540f3d97c
Thanks @martinnabhan! - Recognize malformed JSON error messages from Next.js. -
Updated dependencies []:
- @apollo/server@4.0.4
-
#7073
e7f524eac
Thanks @glasser! - Never interpretGET
requests as batched. In previous versions of Apollo Server 4, aGET
request whose body was a JSON array with N elements would be interpreted as a batch of the operation specified in the query string repeated N times. Now we just ignore the body forGET
requests (like in Apollo Server 3), and never treat them as batched. -
#7071
0ed389ce8
Thanks @glasser! - Fix v4 regression: gateway implementations should be able to set HTTP response headers and the status code. -
Updated dependencies [
e7f524eac
,0ed389ce8
]:- @apollo/server@4.0.3
-
#7035
b3f400063
Thanks @barryhagan! - Errors resulting from an attempt to use introspection when it is not enabled now have an additionalvalidationErrorCode: 'INTROSPECTION_DISABLED'
extension; this value is part of a new enumApolloServerValidationErrorCode
exported from@apollo/server/errors
. -
#7066
f11d55a83
Thanks @trevor-scheer! - Add a test to validate error message and code for invalid operation names via GET -
#7055
d0d8f4be7
Thanks @trevor-scheer! - Fix build configuration issue and align on CJS correctly -
Updated dependencies [
b3f400063
]:- @apollo/server@4.0.2
-
#7049
3daee02c6
Thanks @glasser! - Raise minimumengines
requirement from Node.js v14.0.0 to v14.16.0. This is the minimum version of Node 14 supported by theengines
requirement ofgraphql@16.6.0
. -
Updated dependencies [
3daee02c6
,3daee02c6
]:- @apollo/server@4.0.1
Initial release of @apollo/server-integration-testsuite
.