fix(deps): update dependency apollo-server to v2.14.2 [security] #23
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.2.6
->2.14.2
GitHub Vulnerability Alerts
GHSA-w42g-7vfc-xf37
We encourage all users of Apollo Server to read this advisory in its entirety to understand the impact. The Resolution section contains details on patched versions.
Impact
If
subscriptions: false
is passed to theApolloServer
constructor options, there is no impact. If implementors were not expecting validation rules to be enforced on the WebSocket subscriptions transport and are unconcerned about introspection being enabled on the WebSocket subscriptions transport (or were not expecting that), then this advisory is not applicable. Ifintrospection: true
is passed to theApolloServer
constructor options, the impact is limited to user-provided validation rules (i.e., usingvalidationRules
) since there would be no expectation that introspection was disabled.The enforcement of user-provided validation rules on the HTTP transport is working as intended and is unaffected by this advisory. Similarly, disabling introspection on the HTTP transport is working as intended and is unaffected by this advisory.
In cases where
subscriptions: false
is not explicitly set, the subscription server is impacted since validation rules which are enforced on the main request pipeline within Apollo Server were not being passed to theSubscriptionServer.create
invocation (seen here, prior to the patch).The omitted validation rules for the subscription server include any
validationRules
passed by implementors to theApolloServer
constructor which were expected to be enforced on the subscriptions WebSocket endpoint. Additionally, because an internalNoIntrospection
validation rule is used to disable introspection, it would have been possible to introspect a server on the WebSocket endpoint that theSubscriptionServer
creates even though it was not possible on other transports (e.g. HTTP).The severity of risk depends on whether sensitive information is being stored in the schema itself. The contents of schema descriptions, or secrets which might be revealed by the names of types or field names within those types, will determine the risk to individual implementors.
Affected packages
The bug existed in
apollo-server-core
versions prior to version 2.14.2, however, this means all integration packages (e.g.,apollo-server-express
, etc.) prior to version 2.14.2 which depend onapollo-server-core
for their subscriptions support are affected. This includes theapollo-server
package that automatically provides an Express server.Therefore, for officially published Apollo Server packages, the full list of affected packages includes:
apollo-server
,apollo-server-azure-functions
,apollo-server-cache-memcached
,apollo-server-core
,apollo-server-cloud-functions
,apollo-server-cloudflare
,apollo-server-express
,apollo-server-fastify
,apollo-server-hapi
,apollo-server-koa
,apollo-server-lambda
, andapollo-server-micro
.Resolution
The problem is resolved in Apollo Server versions 2.14.2 or higher. If upgrading is not an option, see Workarounds below. When upgrading, ensure that the affected integration package (e.g.,
apollo-server-express
) and theapollo-server-core
package are both updated to the patched versions. (The version numbers should both be 2.14.2.)Workarounds
Upgrading to a patched version is the recommended solution. If upgrading is not an option, subscriptions can be disabled with
subscriptions: false
to resolve the impact. Disabling subscriptions in this way will disable all subscriptions support and the WebSocket transport:For more information
If you have any questions or comments about this advisory, please open an issue and the maintainers will try to assist.
Credit and appreciation
Apollo fully believes in ethical disclosure of vulnerabilities by security researchers who notify us with details and provide us time to address and fix the issues before publicly disclosing.
Credit for this discovery goes to the team at Bitwala, who reported the concern to us responsibly after discovering it during their own auditing.
Release Notes
apollographql/apollo-server
v2.14.2
Compare Source
v2.14.1
Compare Source
apollo-server-testing
: Ensure that user-provided context is cloned when usingcreateTestClient
, per the instructions in the intergration testing section of the Apollo Server documentation. Issue #4170 PR #4175v2.14.0
Compare Source
apollo-server-core
/apollo-server-plugin-base
: Add support forwillResolveField
and corresponding end-handler withinexecutionDidStart
. This brings the remaining bit of functionality that was previously only available fromgraphql-extensions
to the new plugin API. Thegraphql-extensions
API (which was never documented) will be deprecated in Apollo Server 3.x. To see the documentation for the request pipeline API, see its documentation. For more details, see the attached PR. PR #3988apollo-server-core
: Deprecategraphql-extensions
. All internal usages of thegraphql-extensions
API have been migrated to the request pipeline plugin API. For any implementor-suppliedextensions
, a deprecation warning will be printed once per-extension, per-server-startup, notifying of the intention to deprecate. Extensions should migrate to the plugin API, which is outlined in its documentation. PR #4135apollo-engine-reporting
: Currently only for non-federated graphs.Added an experimental schema reporting option,
experimental_schemaReporting
, for Apollo Graph Manager users. Duringthis experiment, we'd appreciate testing and feedback from current and new
users of the schema registry!
Prior to the introduction of this feature, the only way to get schemas into
the schema registry in Apollo Graph Manager was to use the CLI and run
apollo schema:push
. Apollo schema reporting protocol is a newspecification for GraphQL servers to automatically report schemas to the
Apollo Graph Manager schema registry.
To enable schema reporting, provide a Graph Manager API key (available
free from Apollo Graph Manager) in the
APOLLO_KEY
environment variable and set theexperimental_schemaReporting
option to
true
in the Apollo Server constructor options, like so:For more details on the implementation of this new protocol, see the PR which
introduced it to Apollo Server and the preview documentation.
PR #4084
apollo-engine-reporting
: The underlying integration of this plugin, which instruments and traces the graph's resolver performance and transmits these metrics to Apollo Graph Manager, has been changed from the (soon to be deprecated)graphql-extensions
API to the new request pipelineplugins
API. PR #3998This change should be purely an implementation detail for a majority of users. There are, however, some special considerations which are worth noting:
ftv1
response onextensions
(which is present on the response from an implementing service to the gateway) is now placed on theextensions
after theformatResponse
hook. Anyone leveraging theextensions
.ftv1
data from theformatResponse
hook will find that it is no longer present at that phase.apollo-tracing
: This package's internal integration with Apollo Server has been switched from using the soon-to-be-deprecatedgraphql-extensions
API to using the request pipeline plugin API. Behavior should remain otherwise the same. PR #3991apollo-cache-control
: This package's internal integration with Apollo Server has been switched from using the soon-to-be-deprecatedgraphql-extensions
API to using the request pipeline plugin API. Behavior should remain otherwise the same. PR #3997v2.13.1
Compare Source
v2.13.0
Compare Source
WebSocket.Server
toApolloServer.installSubscriptionHandlers
. PR #2314apollo-server-lambda
: Support file uploads on AWS Lambda Issue #1419 Issue #1703 PR #3926apollo-engine-reporting
: Fix inadvertant conditional formatting which prevented automated persisted query (APQ) hits and misses from being reported to Apollo Graph Manager. PR #3986apollo-engine-reporting
: Deprecate theENGINE_API_KEY
environment variable in favor of its new name,APOLLO_KEY
. Continued use ofENGINE_API_KEY
will result in deprecation warnings and support for it will be removed in a future major version. #3923apollo-engine-reporting
: Deprecated theAPOLLO_SCHEMA_TAG
environment variable in favor of its new name,APOLLO_GRAPH_VARIANT
. Similarly, within theengine
configuration object, theschemaTag
property has been renamedgraphVariant
. The functionality remains otherwise unchanged, but their new names mirror the name used within Apollo Graph Manager. Continued use of the now-deprecated names will result in deprecation warnings and support will be dropped completely in the next "major" update. To avoid misconfiguration, a runtime error will be thrown if both new and deprecated names are set. PR #3855apollo-engine-reporting-protobuf
: (This is a breaking change only if you directly depend onapollo-engine-reporting-protobuf
.) Drop legacy fields that were never used byapollo-engine-reporting
. Added new fieldsStatsContext
to allowapollo-server
to send summary stats instead of full traces, and renamedFullTracesReport
toReport
andTraces
toTracesAndStats
since reports now can include stats as well as traces.v2.12.0
Compare Source
apollo-server-core
: Support providing a custom logger implementation (e.g.winston
,bunyan
, etc.) to capture server console messages. Though there has historically been limited output from Apollo Server, some messages are important to capture in the larger context of production logging facilities or can benefit from using more advanced structure, like JSON-based logging. This also introduces alogger
property to theGraphQLRequestContext
that is exposed to plugins, making it possible for plugins to leverage the same server-level logger, and allowing implementors to create request-specific log contexts, if desired. When not provided, these will still output toconsole
. PR #3894apollo-server-core
: When operating in gateway mode using thegateway
property of the Apollo Server constructor options, the failure to initialize a schema during initial start-up, e.g. connectivity problems, will no longer result in the federated executor from being assigned when the schema eventually becomes available. This precludes a state where the gateway may never become available to serve federated requests, even when failure conditions are no longer present. PR #3811apollo-server-core
: Prevent a condition which prefixed an error message on each request when the initial gateway initialization resulted in a Promise-rejection which was memoized and re-prepended withInvalid options provided to ApolloServer:
on each request. PR #3811apollo-server-express
: Disable the automatic inclusion of thex-powered-by: express
header. PR #3821apollo-engine-reporting
: Avoid creating new arrays when building trace trees. PR #3479apollo-server-core
: Bumpgraphql
peerDependencies
range to include^15.0.0
. PR #3944v2.11.0
Compare Source
peerDepedencies
versions forgraphql
has been widened to includegraphql@^15.0.0-rc.2
so as to accommodate the latest release-candidate of thegraphql@15
package, and an intention to support it when it is finally released on thelatest
npm tag. While this change will subdue peer dependency warnings for Apollo Server packages, many dependencies from outside of this repository will continue to raise similar warnings until those packages ownpeerDependencies
are updated. It is unlikely that all of those packages will update their ranges prior to the final version ofgraphql@15
being released, but if everything is working as expected, the warnings can be safely ignored. PR #3825v2.10.1
Compare Source
apollo-server-core
: Update GraphQL Playground to latest version to remove a rogue curly-brace appearing in the top-right corner of the interface under certain conditions. PR #3702 Playground PRapollo-server-core
: Typings: Allow thecache
property insidepersistedQueries
to be optional. This was already optional at runtime where it defaults to the top-level global cache when unspecified, but with the introduction of thettl
property, it now makes sense that one may be provided without the other. #3671v2.10.0
Compare Source
apollo-server-express
: SupportCorsOptionsDelegate
type oncors
parameter toapplyMiddleware
, to align with the supported type of the underlyingcors
middleware itself. #3613apollo-server-core
: Allow asynchronous initialization of datasources: theinitialize
method on datasources may now return a Promise, which will be settled before any resolvers are called. #3639apollo-server-core
: experimental: Allow configuration of the parsed/validated document store by introducing anexperimental_approximateDocumentStoreMiB
property to theApolloServer
constructor options which overrides the default cache size of 30MiB. #3755v2.9.16
Compare Source
apollo-server-core
: Update apollo-tooling dependencies, resolve TS build error (missing types for node-fetch) #3662v2.9.15
Compare Source
apollo-engine-reporting
: Fix regression introduced by #3614 which causedPersistedQueryNotFoundError
,PersistedQueryNotSupportedError
andInvalidGraphQLRequestError
errors to be triggered before therequestDidStart
handler triggeredtreeBuilder
'sstartTiming
method. This fix preserves the existing behavior by special-casing these specific errors. #3638 fixes #3627apollo-server-cloud-functions
: Transmit CORS headers onOPTIONS
request. #3557apollo-server-caching
: De-compose options interface forKeyValueCache.prototype.set
to accommodate better TSDoc annotations for its properties (e.g. to specify thatttl
is defined in seconds). #3619apollo-server-core
,apollo-server-caching
: Introduce attl
property, specified in seconds, on the options for automated persisted queries (APQ) which applies specific TTL settings to the cacheset
s during APQ registration. Previously, all APQ cache records were set to 300 seconds. Additionally, this adds support (to the underlyingapollo-server-caching
mechanisms) for a time-to-live (TTL) value ofnull
which, when supported by the cache implementation, skips the assignment of a TTL value altogether. This allows the cache's controller to determine when eviction happens (e.g. cache forever, and purge least recently used when the cache is full), which may be desireable for network cache stores (e.g. Memcached, Redis). #3623apollo-server-core
: Upgrade TS to 3.7.3 #3618v2.9.14
Compare Source
apollo-server-core
: Ensure that plugin'sdidEncounterErrors
hooks are invoked for known automated persisted query (APQ) errors. #3614apollo-server-plugin-base
: MoveTContext
generic fromrequestDidStart
method toApolloServerPlugin
Interface. #3525v2.9.13
Compare Source
@apollo/gateway
: Add@types/node-fetch
as a regular dependency to avoid missing dependency for TypeScript consumers. #3546 fixes #3471apollo-engine-reporting
: Declare acceptablegraphql
versions ranges inpeerDependencies
rather than allowing it to occur implicitly (and less ideally) via its consumers (e.g. mostapollo-server-*
packages). #3496v2.9.12
Compare Source
@apollo/protobufjs
fork, the build issue for consumers should be resolved.v2.9.11
Compare Source
@apollo/protobufjs
fork is causing TS errors in consumer projects. Reverting this change for now, and will reintroduce it after the issue is resolved within the forked package.v2.9.10
Compare Source
apollo-engine-reporting
: Swap usage ofprotobufjs
for a newly published fork located at@apollo/protobufjs
. This is to account for the relative uncertainty into the continued on-going maintenance of the officialprotobuf.js
project. This should immediately resolve a bug that affectedLong
types inapollo-engine-reporting
and other non-Apollo projects that rely onprotobuf.js
'sLong
type. #3530v2.9.9
Compare Source
apollo-server-core
: Don't try parsingvariables
andextensions
as JSON if they are defined but empty strings. #3501apollo-server-lambda
: IntroduceonHealthCheck
oncreateHandler
in the same fashion as implemented in other integrations. #3458apollo-server-core
: Usegraphql
'sisSchema
to more defensively check the user-specified schema's type at runtime and prevent unexpected errors. #3462v2.9.8
Compare Source
apollo-server-core
: Provide accurate type forformatResponse
rather than genericFunction
type. #3431apollo-server-core
: Pass complete request context toformatResponse
, rather than justcontext
. #3431v2.9.7
Compare Source
apollo-server-errors
: FixApolloError
bug andGraphQLError
spec compliance #3408v2.9.6
Compare Source
@apollo/gateway
,@apollo/federation
,apollo-engine-reporting
: Updateapollo-graphql
dependency to bring inapollo-tooling
's #1551 which resolve runtime errors when its source is minified. While this fixes a particular minification bug when Apollo Server packages are minified, we do not recommend minification of server code in most cases. #3387 fixes #3335apollo-server-koa
: Correctly declare dependency onkoa-compose
. #3356apollo-server-core
: Preserve anyextensions
that have been placed on the response when pre-execution errors occur. #3394v2.9.5
Compare Source
v2.9.4
Compare Source
v2.9.3
Compare Source
apollo-server-express
: Add direct dependency onexpress
to allow for usage ofexpress.Router
forgetMiddleware
functionality (from #2435). Previously, unlike other server integration packages,apollo-server-express
did not directly needexpress
as a dependency since it only relied onexpress
for TypeScript typings. #3239 fixes #3238apollo-server-lambda
: Add@types/aws-lambda
as a direct dependency toapollo-server-express
to allow usage of its typings without needing to separately install it. #3242 fixes #2351v2.9.2
Compare Source
apollo-server-koa
: Drop support for Node.js v6 within the Apollo Server Koa integration in order to updatekoa-bodyparser
dependency fromv3.0.0
tov4.2.1
. #3229 fixes #3050apollo-server-express
: Use explicit return type for newgetMiddleware
method. #3230 (hopefully) fixes #3222v2.9.1
Compare Source
apollo-server-core
: Update apollo-tooling dependencies, resolve TS build error (missing types for node-fetch) #3662v2.9.0
Compare Source
apollo-server-express
,apollo-server-koa
: A newgetMiddleware
method has been introduced, which accepts the same parameters asapplyMiddleware
with the exception of theapp
property. This allows implementors to obtain the middleware directly and "use
" it within an existingapp
. In the near-term, this should ease some of the pain points with the previous technique. Longer-term, we are exploring what we consider to be a much more natural approach by introducing an "HTTP transport" in Apollo Server 3.x. See this proposal issue for more information. #2435@apollo/federation
:buildFederatedSchema
'stypeDefs
parameter now accepts arrays ofDocumentNode
s (i.e. type definitions wrapped ingql
) andresolvers
to make the migration from a single service into a federated service easier for teams previously utilizing this pattern. #3188v2.8.2
Compare Source
apollo-server-koa
: Update dependency koa to v2.8.1. PR #3175apollo-server-express
: Update types exported by the ASE package. PR #3173 PR #3172v2.8.1
Compare Source
apollo-engine-reporting
: Fix reporting errors which have non-arraypath
fields (eg, non-GraphQLError errors). PR #3112apollo-engine-reporting
: Add missingapollo-server-caching
dependency. PR #3054apollo-server-hapi
: Revert switch fromaccept
andboom
which took place in v2.8.0. PR #3089@apollo/gateway
: Change thesetInterval
timer, which is used to continuously check for updates to a federated graph from the Apollo Graph Manager, to be anunref
'd timer. Without this change, the server wouldn't terminate properly once polling had started since the event-loop would continue to have unprocessed events on it. PR #3105@types/graphql-upload
types.apollo-server-fastify
: Change the typing of the HTTPresponse
fromOutgoingMessage
toServerResponse
. Commitapollo-server-hapi
: Pass theraw
request and response objects tographql-upload
sprocessRequest
method to align on the same TypeScript types. Commitv2.8.0
Compare Source
@apollo/federation
: Add support for "value types", which are type definitions which live on multiple services' types, inputs, unions or interfaces. These common types must be identical by name, kind and field across all services. PR #3063apollo-server-express
: Use the Expresssend
method, rather than callingnet.Socket.prototype.end
. PR #2842apollo-server-hapi
: Update internal dependencies to use scoped packages@hapi/accept
and@hapi/boom
, in place ofaccept
andboom
respectively. PR #3089v2.7.2
Compare Source
apollo-engine-reporting
: Fix reporting errors from backend. (The support for federated metrics introduced in v2.7.0 did not properly handle GraphQL errors from the backend; all users of federated metrics should upgrade to this version.) PR #3056 Issue #3052apollo-engine-reporting
: Clean upSIGINT
andSIGTERM
handlers whenEngineReportingAgent
is stopped; fixes 'Possible EventEmitter memory leak detected' log. PR #3090v2.7.1
Compare Source
apollo-engine-reporting
: If an error is thrown by a custom variable transform function passed into the reporting optionsendVariableValues: { transform: ... }
, all variable values will be replaced with the string[PREDICATE_FUNCTION_ERROR]
.apollo-server-express
: Typing fix for theconnection
property, which was missing from theExpressContext
interface. PR #2959@apollo/gateway
: Ensure execution of correct document within multi-operation documents by including theoperationName
in the cache key used when caching query plans used in federated execution. PR #3084v2.7.0
Compare Source
apollo-engine-reporting
: Behavior change: By default, send no GraphQL variable values to Apollo's servers instead of sending all variable values. Adding the new EngineReportingOptionsendVariableValues
to send some or all variable values, possibly after transforming them. This replaces theprivateVariables
option, which is now deprecated. PR #2931To maintain the previous behavior of transmitting all GraphQL variable values, unfiltered, to Apollo Engine, configure
engine
.sendVariableValues
as follows:apollo-engine-reporting
: Behavior change: By default, send no GraphQL request headers and values to Apollo's servers instead of sending all. Adding the new EngineReportingOptionsendHeaders
to send some or all header values. This replaces theprivateHeaders
option, which is now deprecated. PR #2931To maintain the previous behavior of transmitting all GraphQL request headers and values, configure
engine
.sendHeaders
as following:apollo-engine-reporting
: Behavior change: If the error returned from theengine.rewriteError
hook has anextensions
property, that property will be used instead of the original error's extensions. Document that changes to most otherGraphQLError
fields byengine.rewriteError
are ignored. PR #2932apollo-engine-reporting
: Behavior change: Theengine.maskErrorDetails
option, deprecated byengine.rewriteError
in v2.5.0, now behaves a bit more like the new option: while all error messages will be redacted, they will still show up on the appropriate nodes in a trace. PR #2932apollo-server-core
,@apollo/gateway
: Introduced managed federation support. For more information on managed federation, see the blog post or jump to the documentation for managed federation.@apollo/gateway@0.7.1
: Don't print a warning about an unspecified "graph variant" (previously, and in many ways still, known as "schema tag") every few seconds. We do highly recommend specifying one when using the Apollo Platform features though! PR #3043graphql-playground
: Update to resolve incorrect background color on tabs when using thelight
theme. PR #2989 Issue #2979graphql-playground
: Fix "Query Planner" and "Tracing" panels which were off the edge of the viewport.apollo-server-plugin-base
: FixGraphQLRequestListener
type definitions to allowreturn void
. PR #2368v2.6.9
Compare Source
v2.6.8
Compare Source
v2.6.7
Compare Source
apollo-server-core
: Guard against undefined property access inisDirectiveDefined
which resulted in "Cannot read property 'some' of undefined" error. PR #2924 Issue #2921v2.6.6
Compare Source
apollo-server-core
: Avoid duplicatecacheControl
directives being added viaisDirectiveDefined
, re-landing the implementation reverted in v2.6.1 which first surfaced in v2.6.0. PR #2762 Reversion PR #2754 Original PR #2428apollo-server-testing
: Add TypeScript types forapollo-server-testing
client. PR #2871apollo-server-plugin-response-cache
: Fix undefined property access attempt which occurred when an incomplete operation was received. PR #2792 Issue #2745v2.6.5
Compare Source
apollo-engine-reporting
: Simplify the technique for capturingoperationName
. PR #2899apollo-server-core
: Fix regression in 2.6.0 which causedengine: false
not to disable Engine when theENGINE_API_KEY
environment variable was set. PR #2850@apollo/federation
: Introduced aREADME.md
. PR #2883@apollo/gateway
: Introduced aREADME.md
. PR #2883v2.6.4
Compare Source
@apollo/gateway
: Passcontext
through to thegraphql
command inLocalGraphQLDataSource
'sprocess
method. PR #2821@apollo/gateway
: Fix gateway not sending needed variables for subqueries not at the root level. PR #2867@apollo/federation
: Allow matching enums/scalars in separate services and validate that enums have matching values. PR #2829.@apollo/federation
: Strip@external
fields from interface extensions. PR #2848@apollo/federation
: Add support for list type keys in federation. PR #2841@apollo/federation
: Deduplicate variable definitions for sub-queries. PR #2840v2.6.3
Compare Source
apollo-engine-reporting
: SetforbiddenOperation
andregisteredOperation
later in the request lifecycle. PR #2828apollo-server-core
: AddqueryHash
toGraphQLExecutor
for federation. PR #2822@apollo/federation
: Preserve descriptions from SDL of federated services. PR #2830v2.6.2
Compare Source
apollo-engine-reporting-protobuf
: Update protobuf to includeforbiddenOperations
andregisteredOperations
. PR #2768apollo-server-core
: AddforbiddenOperation
andregisteredOperation
toGraphQLRequestMetrics
type. PR #2768apollo-engine-reporting
: SetforbiddenOperation
andregisteredOperation
on trace if the field is true onrequestContext.metrics
. PR #2768apollo-server-lambda
: RemoveObject.fromEntries
usage. PR #2787v2.6.1
Compare Source
cacheControl
directive if one has already been defined. Presently, although the TypeScript don't suggest it, passing aString
astypeDefs
toApolloServer
is supported and this would be a breaking change for non-TypeScript users. PR #2428v2.6.0
Compare Source
apollo-server-core
: Introduce newdidEncounterErrors
life-cycle hook which has access to unformattederrors
property on therequestContext
, which is the first positional parameter that this new request life-cycle receives. PR #2719apollo-server-core
: Allow request pipeline life-cycle hooks (i.e. plugins) to modify the response'shttp.status
code (an integer) in the event of an error. When combined with the newdidEncounterErrors
life-cycle hook (see above), this will allow modifying the HTTP status code in the event of an error. PR #2714apollo-server-lambda
: SetcallbackWaitsForEmptyEventLoop
tofalse
forOPTIONS
requests to return as soon as thecallback
is triggered instead of waiting for the event loop to empty. PR #2638apollo-server
: SupportonHealthCheck
in theApolloServer
constructor in the same way ascors
is supported. This contrasts with the-express
,-hapi
, etc. variations which accept this parameter via theirapplyMiddleware
methods and will remain as-is. PR #2672engine.apiKeyHash
. PR #2685 PR #2736apollo-datasource-rest
: If anotherContent-type
is already set on the response, don't overwrite it withapplication/json
, allowing the user's initialContent-type
to prevail. PR #2520cacheControl
directive if one has already been defined. PR #2428apollo-cache-control
: Do not respond withCache-control
headers if the HTTP response containserrors
. PR #2715apollo-server-core
: Skip loadingutil.promisify
polyfill in Node.js engines >= 8.0 PR #2278apollo-server-core
: Lazy loadsubscriptions-transport-ws
in core PR #2278apollo-server-cache-redis
: BREAKING FOR USERS OFapollo-server-cache-redis
(This is a package that must be updated separately but shares the sameCHANGELOG.md
with Apollo Server itself.) A new major version of this package has been published and updated to support Redis Standalone, Cluster and Sentinel modes. This is a breaking change since it is now based onioredis
instead ofnode_redis
. Although this update is compatible with the most common uses ofapollo-server-cache-redis
, please check the options supported byioredis
while updating to this version. The constructor options are passed directly fromRedisCache
to the new Redis adapter. The pre-1.0 versions should continue to work with Apollo Server without modification. PR #1770v2.5.1
Compare Source
v2.5.0
Compare Source
New
apollo-server-plugin-response-cache
implementing a full query response cache based onapollo-cache-control
hints. The implementation added a few hooks and context fields; see the PR for details. There is a slight change tocacheControl
object: previously,cacheControl.stripFormattedExtensions
defaulted to false if you did not provide acacheControl
option object, but defaulted to true if you provided (eg)cacheControl: {defaultMaxAge: 10}
. NowstripFormattedExtensions
defaults to false unless explicitly provided astrue
, or if you use the legacy booleancacheControl: true
. For more information, read the documentation. PR #2437rewriteError
option toEngineReportingOptions
(i.e. theengine
property of theApolloServer
constructor). When defined as afunction
, it will receive anerr
property as its first argument which can be used to manipulate (e.g. redaction) an error prior to sending it to Apollo Engine by modifying, e.g., itsmessage
property. The error can also be suppressed from reporting entirely by returning an explicitnull
value. For more information, read the documentation and theEngineReportingOptions
API reference.maskErrorDetails
is now deprecated. PR #1639apollo-server-azure-functions
: Support@azure/functions
to enable Apollo Server [Typescript development in Azure Functions](https://azure.microsoft.com/en-us/blog/improving-the-typescripConfiguration
📅 Schedule: "" (UTC).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by WhiteSource Renovate. View repository job log here.