Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency apollo-server to v2.14.2 [security] #23

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix(deps): update dependency apollo-server to v2.14.2 [security] #23

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Jul 1, 2020
edited

WhiteSource Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
apollo-server 2.2.6 -> 2.14.2 age adoption passing confidence

GitHub Vulnerability Alerts

GHSA-w42g-7vfc-xf37

We encourage all users of Apollo Server to read this advisory in its entirety to understand the impact. The Resolution section contains details on patched versions.

Impact

If subscriptions: false is passed to the ApolloServer constructor options, there is no impact. If implementors were not expecting validation rules to be enforced on the WebSocket subscriptions transport and are unconcerned about introspection being enabled on the WebSocket subscriptions transport (or were not expecting that), then this advisory is not applicable. If introspection: true is passed to the ApolloServer constructor options, the impact is limited to user-provided validation rules (i.e., using validationRules) since there would be no expectation that introspection was disabled.

The enforcement of user-provided validation rules on the HTTP transport is working as intended and is unaffected by this advisory. Similarly, disabling introspection on the HTTP transport is working as intended and is unaffected by this advisory.

Note: Unless subscriptions: false is explicitly passed to the constructor parameters of new ApolloServer({ ... }), subscriptions are enabled by default, whether or not there is a Subscription type present in the schema. As an alternative to upgrading to a patched version, see the Workarounds section below to disable subscriptions if it is not necessary.

In cases where subscriptions: false is not explicitly set, the subscription server is impacted since validation rules which are enforced on the main request pipeline within Apollo Server were not being passed to the SubscriptionServer.create invocation (seen here, prior to the patch).

The omitted validation rules for the subscription server include any validationRules passed by implementors to the ApolloServer constructor which were expected to be enforced on the subscriptions WebSocket endpoint. Additionally, because an internal NoIntrospection validation rule is used to disable introspection, it would have been possible to introspect a server on the WebSocket endpoint that the SubscriptionServer creates even though it was not possible on other transports (e.g. HTTP).

The severity of risk depends on whether sensitive information is being stored in the schema itself. The contents of schema descriptions, or secrets which might be revealed by the names of types or field names within those types, will determine the risk to individual implementors.

Affected packages

The bug existed in apollo-server-core versions prior to version 2.14.2, however, this means all integration packages (e.g., apollo-server-express, etc.) prior to version 2.14.2 which depend on apollo-server-core for their subscriptions support are affected. This includes the apollo-server package that automatically provides an Express server.

Therefore, for officially published Apollo Server packages, the full list of affected packages includes: apollo-server, apollo-server-azure-functions, apollo-server-cache-memcached, apollo-server-core, apollo-server-cloud-functions, apollo-server-cloudflare, apollo-server-express, apollo-server-fastify, apollo-server-hapi, apollo-server-koa, apollo-server-lambda, and apollo-server-micro.

Note: The full list included here doesn't fit into the box provided by the GitHub Security Advisories form.

Resolution

The problem is resolved in Apollo Server versions 2.14.2 or higher. If upgrading is not an option, see Workarounds below. When upgrading, ensure that the affected integration package (e.g., apollo-server-express) and the apollo-server-core package are both updated to the patched versions. (The version numbers should both be 2.14.2.)

Workarounds

Upgrading to a patched version is the recommended solution. If upgrading is not an option, subscriptions can be disabled with subscriptions: false to resolve the impact. Disabling subscriptions in this way will disable all subscriptions support and the WebSocket transport:

const server = new ApolloServer({
  subscriptions: false,
  /* Other options, such as typeDefs, resolvers, schema, etc. */
});

For more information

If you have any questions or comments about this advisory, please open an issue and the maintainers will try to assist.

Credit and appreciation

Apollo fully believes in ethical disclosure of vulnerabilities by security researchers who notify us with details and provide us time to address and fix the issues before publicly disclosing.

Credit for this discovery goes to the team at Bitwala, who reported the concern to us responsibly after discovering it during their own auditing.

Release Notes

apollographql/apollo-server

v2.14.2

Compare Source

Note: This release is is related to a GitHub Security Advisory published by the Apollo Server team. Please read the attached advisory to understand the impact.

v2.14.1

Compare Source

See complete versioning details.

v2.14.0

Compare Source

See complete versioning details.

  • apollo-server-core / apollo-server-plugin-base: Add support for willResolveField and corresponding end-handler within executionDidStart. This brings the remaining bit of functionality that was previously only available from graphql-extensions to the new plugin API. The graphql-extensions API (which was never documented) will be deprecated in Apollo Server 3.x. To see the documentation for the request pipeline API, see its documentation. For more details, see the attached PR. PR #​3988

  • apollo-server-core: Deprecate graphql-extensions. All internal usages of the graphql-extensions API have been migrated to the request pipeline plugin API. For any implementor-supplied extensions, a deprecation warning will be printed once per-extension, per-server-startup, notifying of the intention to deprecate. Extensions should migrate to the plugin API, which is outlined in its documentation. PR #​4135

  • apollo-engine-reporting: Currently only for non-federated graphs.
    Added an experimental schema reporting option,
    experimental_schemaReporting, for Apollo Graph Manager users. During
    this experiment, we'd appreciate testing and feedback from current and new
    users of the schema registry!

    Prior to the introduction of this feature, the only way to get schemas into
    the schema registry in Apollo Graph Manager was to use the CLI and run
    apollo schema:push. Apollo schema reporting protocol is a new
    specification for GraphQL servers to automatically report schemas to the
    Apollo Graph Manager schema registry.

    To enable schema reporting, provide a Graph Manager API key (available
    free from Apollo Graph Manager) in the
    APOLLO_KEY environment variable and set the experimental_schemaReporting
    option to true in the Apollo Server constructor options, like so:

    const server = new ApolloServer({
  typeDefs,
  resolvers,
  engine: {
    experimental_schemaReporting: true,
    /* Other existing options can remain the same. */
  },
});

    When enabled, a schema reporter is initiated by the apollo-engine-reporting agent. It will loop until the ApolloServer instance is stopped, periodically calling back to Apollo Graph Manager to send information. The life-cycle of this reporter is managed by the agent.

    For more details on the implementation of this new protocol, see the PR which
    introduced it to Apollo Server and the preview documentation.

    PR #​4084

  • apollo-engine-reporting: The underlying integration of this plugin, which instruments and traces the graph's resolver performance and transmits these metrics to Apollo Graph Manager, has been changed from the (soon to be deprecated) graphql-extensions API to the new request pipeline plugins API. PR #​3998

    This change should be purely an implementation detail for a majority of users. There are, however, some special considerations which are worth noting:

    • The federated tracing plugin's ftv1 response on extensions (which is present on the response from an implementing service to the gateway) is now placed on the extensions after the formatResponse hook. Anyone leveraging the extensions.ftv1 data from the formatResponse hook will find that it is no longer present at that phase.

  • apollo-tracing: This package's internal integration with Apollo Server has been switched from using the soon-to-be-deprecated graphql-extensions API to using the request pipeline plugin API. Behavior should remain otherwise the same. PR #​3991

  • apollo-cache-control: This package's internal integration with Apollo Server has been switched from using the soon-to-be-deprecated graphql-extensions API to using the request pipeline plugin API. Behavior should remain otherwise the same. PR #​3997

v2.13.1

Compare Source

v2.13.0

Compare Source

See complete versioning details.

  • Allow passing a WebSocket.Server to ApolloServer.installSubscriptionHandlers. PR #​2314
  • apollo-server-lambda: Support file uploads on AWS Lambda Issue #​1419 Issue #​1703 PR #​3926
  • apollo-engine-reporting: Fix inadvertant conditional formatting which prevented automated persisted query (APQ) hits and misses from being reported to Apollo Graph Manager. PR #​3986
  • apollo-engine-reporting: Deprecate the ENGINE_API_KEY environment variable in favor of its new name, APOLLO_KEY. Continued use of ENGINE_API_KEY will result in deprecation warnings and support for it will be removed in a future major version. #​3923
  • apollo-engine-reporting: Deprecated the APOLLO_SCHEMA_TAG environment variable in favor of its new name, APOLLO_GRAPH_VARIANT. Similarly, within the engine configuration object, the schemaTag property has been renamed graphVariant. The functionality remains otherwise unchanged, but their new names mirror the name used within Apollo Graph Manager. Continued use of the now-deprecated names will result in deprecation warnings and support will be dropped completely in the next "major" update. To avoid misconfiguration, a runtime error will be thrown if both new and deprecated names are set. PR #​3855
  • apollo-engine-reporting-protobuf: (This is a breaking change only if you directly depend on apollo-engine-reporting-protobuf.) Drop legacy fields that were never used by apollo-engine-reporting. Added new fields StatsContext to allow apollo-server to send summary stats instead of full traces, and renamed FullTracesReport to Report and Traces to TracesAndStats since reports now can include stats as well as traces.

v2.12.0

Compare Source

See complete versioning details.

  • apollo-server-core: Support providing a custom logger implementation (e.g. winston, bunyan, etc.) to capture server console messages. Though there has historically been limited output from Apollo Server, some messages are important to capture in the larger context of production logging facilities or can benefit from using more advanced structure, like JSON-based logging. This also introduces a logger property to the GraphQLRequestContext that is exposed to plugins, making it possible for plugins to leverage the same server-level logger, and allowing implementors to create request-specific log contexts, if desired. When not provided, these will still output to console. PR #​3894
  • apollo-server-core: When operating in gateway mode using the gateway property of the Apollo Server constructor options, the failure to initialize a schema during initial start-up, e.g. connectivity problems, will no longer result in the federated executor from being assigned when the schema eventually becomes available. This precludes a state where the gateway may never become available to serve federated requests, even when failure conditions are no longer present. PR #​3811
  • apollo-server-core: Prevent a condition which prefixed an error message on each request when the initial gateway initialization resulted in a Promise-rejection which was memoized and re-prepended with Invalid options provided to ApolloServer: on each request. PR #​3811
  • apollo-server-express: Disable the automatic inclusion of the x-powered-by: express header. PR #​3821
  • apollo-engine-reporting: Avoid creating new arrays when building trace trees. PR #​3479
  • apollo-server-core: Bump graphql peerDependencies range to include ^15.0.0. PR #​3944

v2.11.0

Compare Source

See complete versioning details.

  • The range of accepted peerDepedencies versions for graphql has been widened to include graphql@^15.0.0-rc.2 so as to accommodate the latest release-candidate of the graphql@15 package, and an intention to support it when it is finally released on the latest npm tag. While this change will subdue peer dependency warnings for Apollo Server packages, many dependencies from outside of this repository will continue to raise similar warnings until those packages own peerDependencies are updated. It is unlikely that all of those packages will update their ranges prior to the final version of graphql@15 being released, but if everything is working as expected, the warnings can be safely ignored. PR #​3825

v2.10.1

Compare Source

See complete versioning details.

  • apollo-server-core: Update GraphQL Playground to latest version to remove a rogue curly-brace appearing in the top-right corner of the interface under certain conditions. PR #​3702 Playground PR
  • apollo-server-core: Typings: Allow the cache property inside persistedQueries to be optional. This was already optional at runtime where it defaults to the top-level global cache when unspecified, but with the introduction of the ttl property, it now makes sense that one may be provided without the other. #​3671

v2.10.0

Compare Source

See complete versioning details.

  • apollo-server-express: Support CorsOptionsDelegate type on cors parameter to applyMiddleware, to align with the supported type of the underlying cors middleware itself. #​3613
  • apollo-server-core: Allow asynchronous initialization of datasources: the initialize method on datasources may now return a Promise, which will be settled before any resolvers are called. #​3639
  • apollo-server-core: experimental: Allow configuration of the parsed/validated document store by introducing an experimental_approximateDocumentStoreMiB property to the ApolloServer constructor options which overrides the default cache size of 30MiB. #​3755

v2.9.16

Compare Source

See complete versioning details.

  • apollo-server-core: Update apollo-tooling dependencies, resolve TS build error (missing types for node-fetch) #​3662

v2.9.15

Compare Source

See complete versioning details.

  • apollo-engine-reporting: Fix regression introduced by #​3614 which caused PersistedQueryNotFoundError, PersistedQueryNotSupportedError and InvalidGraphQLRequestError errors to be triggered before the requestDidStart handler triggered treeBuilder's startTiming method. This fix preserves the existing behavior by special-casing these specific errors. #​3638 fixes #​3627
  • apollo-server-cloud-functions: Transmit CORS headers on OPTIONS request. #​3557
  • apollo-server-caching: De-compose options interface for KeyValueCache.prototype.set to accommodate better TSDoc annotations for its properties (e.g. to specify that ttl is defined in seconds). #​3619
  • apollo-server-core, apollo-server-caching: Introduce a ttl property, specified in seconds, on the options for automated persisted queries (APQ) which applies specific TTL settings to the cache sets during APQ registration. Previously, all APQ cache records were set to 300 seconds. Additionally, this adds support (to the underlying apollo-server-caching mechanisms) for a time-to-live (TTL) value of null which, when supported by the cache implementation, skips the assignment of a TTL value altogether. This allows the cache's controller to determine when eviction happens (e.g. cache forever, and purge least recently used when the cache is full), which may be desireable for network cache stores (e.g. Memcached, Redis). #​3623
  • apollo-server-core: Upgrade TS to 3.7.3 #​3618

v2.9.14

Compare Source

See complete versioning details.

  • apollo-server-core: Ensure that plugin's didEncounterErrors hooks are invoked for known automated persisted query (APQ) errors. #​3614
  • apollo-server-plugin-base: Move TContext generic from requestDidStart method to ApolloServerPlugin Interface. #​3525

v2.9.13

Compare Source

See complete versioning details.

  • @apollo/gateway: Add @types/node-fetch as a regular dependency to avoid missing dependency for TypeScript consumers. #​3546 fixes #​3471
  • apollo-engine-reporting: Declare acceptable graphql versions ranges in peerDependencies rather than allowing it to occur implicitly (and less ideally) via its consumers (e.g. most apollo-server-* packages). #​3496

v2.9.12

Compare Source

  • Reinstate #​3530 via #​3539 - after a patch release of the @apollo/protobufjs fork, the build issue for consumers should be resolved.

v2.9.11

Compare Source

  • Revert #​3530 via #​3535- the introduction of the @apollo/protobufjs fork is causing TS errors in consumer projects. Reverting this change for now, and will reintroduce it after the issue is resolved within the forked package.

v2.9.10

Compare Source

See complete versioning details.

  • apollo-engine-reporting: Swap usage of protobufjs for a newly published fork located at @apollo/protobufjs. This is to account for the relative uncertainty into the continued on-going maintenance of the official protobuf.js project. This should immediately resolve a bug that affected Long types in apollo-engine-reporting and other non-Apollo projects that rely on protobuf.js's Long type. #​3530

v2.9.9

Compare Source

See complete versioning details.

  • apollo-server-core: Don't try parsing variables and extensions as JSON if they are defined but empty strings. #​3501
  • apollo-server-lambda: Introduce onHealthCheck on createHandler in the same fashion as implemented in other integrations. #​3458
  • apollo-server-core: Use graphql's isSchema to more defensively check the user-specified schema's type at runtime and prevent unexpected errors. #​3462

v2.9.8

Compare Source

See complete versioning details.

  • apollo-server-core: Provide accurate type for formatResponse rather than generic Function type. #​3431
  • apollo-server-core: Pass complete request context to formatResponse, rather than just context. #​3431

v2.9.7

Compare Source

See complete versioning details.

  • apollo-server-errors: Fix ApolloError bug and GraphQLError spec compliance #​3408

v2.9.6

Compare Source

See complete versioning details.

  • @apollo/gateway, @apollo/federation, apollo-engine-reporting: Update apollo-graphql dependency to bring in apollo-tooling's #​1551 which resolve runtime errors when its source is minified. While this fixes a particular minification bug when Apollo Server packages are minified, we do not recommend minification of server code in most cases. #​3387 fixes #​3335
  • apollo-server-koa: Correctly declare dependency on koa-compose. #​3356
  • apollo-server-core: Preserve any extensions that have been placed on the response when pre-execution errors occur. #​3394

v2.9.5

Compare Source

v2.9.4

Compare Source

v2.9.3

Compare Source

See complete versioning details.

  • apollo-server-express: Add direct dependency on express to allow for usage of express.Router for getMiddleware functionality (from #​2435). Previously, unlike other server integration packages, apollo-server-express did not directly need express as a dependency since it only relied on express for TypeScript typings. #​3239 fixes #​3238
  • apollo-server-lambda: Add @types/aws-lambda as a direct dependency to apollo-server-express to allow usage of its typings without needing to separately install it. #​3242 fixes #​2351

v2.9.2

Compare Source

See complete versioning details.

  • apollo-server-koa: Drop support for Node.js v6 within the Apollo Server Koa integration in order to update koa-bodyparser dependency from v3.0.0 to v4.2.1. #​3229 fixes #​3050
  • apollo-server-express: Use explicit return type for new getMiddleware method. #​3230 (hopefully) fixes #​3222

v2.9.1

Compare Source

See complete versioning details.

  • apollo-server-core: Update apollo-tooling dependencies, resolve TS build error (missing types for node-fetch) #​3662

v2.9.0

Compare Source

See complete versioning details.

  • apollo-server-express, apollo-server-koa: A new getMiddleware method has been introduced, which accepts the same parameters as applyMiddleware with the exception of the app property. This allows implementors to obtain the middleware directly and "use" it within an existing app. In the near-term, this should ease some of the pain points with the previous technique. Longer-term, we are exploring what we consider to be a much more natural approach by introducing an "HTTP transport" in Apollo Server 3.x. See this proposal issue for more information. #​2435
  • @apollo/federation: buildFederatedSchema's typeDefs parameter now accepts arrays of DocumentNodes (i.e. type definitions wrapped in gql) and resolvers to make the migration from a single service into a federated service easier for teams previously utilizing this pattern. #​3188

v2.8.2

Compare Source

See complete versioning details.

v2.8.1

Compare Source

See complete versioning details.

  • apollo-engine-reporting: Fix reporting errors which have non-array path fields (eg, non-GraphQLError errors). PR #​3112
  • apollo-engine-reporting: Add missing apollo-server-caching dependency. PR #​3054
  • apollo-server-hapi: Revert switch from accept and boom which took place in v2.8.0. PR #​3089
  • @apollo/gateway: Change the setInterval timer, which is used to continuously check for updates to a federated graph from the Apollo Graph Manager, to be an unref'd timer. Without this change, the server wouldn't terminate properly once polling had started since the event-loop would continue to have unprocessed events on it. PR #​3105
  • Switch to using community @types/graphql-upload types.
  • apollo-server-fastify: Change the typing of the HTTP response from OutgoingMessage to ServerResponse. Commit
  • apollo-server-hapi: Pass the raw request and response objects to graphql-uploads processRequest method to align on the same TypeScript types. Commit

v2.8.0

Compare Source

See complete versioning details.

  • @apollo/federation: Add support for "value types", which are type definitions which live on multiple services' types, inputs, unions or interfaces. These common types must be identical by name, kind and field across all services. PR #​3063
  • apollo-server-express: Use the Express send method, rather than calling net.Socket.prototype.end. PR #​2842
  • apollo-server-hapi: Update internal dependencies to use scoped packages @hapi/accept and @hapi/boom, in place of accept and boom respectively. PR #​3089

v2.7.2

Compare Source

See complete versioning details.

  • apollo-engine-reporting: Fix reporting errors from backend. (The support for federated metrics introduced in v2.7.0 did not properly handle GraphQL errors from the backend; all users of federated metrics should upgrade to this version.) PR #​3056 Issue #​3052
  • apollo-engine-reporting: Clean up SIGINT and SIGTERM handlers when EngineReportingAgent is stopped; fixes 'Possible EventEmitter memory leak detected' log. PR #​3090

v2.7.1

Compare Source

See complete versioning details.

  • apollo-engine-reporting: If an error is thrown by a custom variable transform function passed into the reporting option sendVariableValues: { transform: ... }, all variable values will be replaced with the string [PREDICATE_FUNCTION_ERROR].
  • apollo-server-express: Typing fix for the connection property, which was missing from the ExpressContext interface. PR #​2959
  • @apollo/gateway: Ensure execution of correct document within multi-operation documents by including the operationName in the cache key used when caching query plans used in federated execution. PR #​3084

v2.7.0

Compare Source

See complete versioning details.

  • apollo-engine-reporting: Behavior change: By default, send no GraphQL variable values to Apollo's servers instead of sending all variable values. Adding the new EngineReportingOption sendVariableValues to send some or all variable values, possibly after transforming them. This replaces the privateVariables option, which is now deprecated. PR #​2931

    To maintain the previous behavior of transmitting all GraphQL variable values, unfiltered, to Apollo Engine, configure engine.sendVariableValues as follows:

    engine: {
  sendVariableValues: { all: true }
}

  • apollo-engine-reporting: Behavior change: By default, send no GraphQL request headers and values to Apollo's servers instead of sending all. Adding the new EngineReportingOption sendHeaders to send some or all header values. This replaces the privateHeaders option, which is now deprecated. PR #​2931

    To maintain the previous behavior of transmitting all GraphQL request headers and values, configure engine.sendHeaders as following:

    engine: {
  sendHeaders: { all: true }
}

  • apollo-engine-reporting: Behavior change: If the error returned from the engine.rewriteError hook has an extensions property, that property will be used instead of the original error's extensions. Document that changes to most other GraphQLError fields by engine.rewriteError are ignored. PR #​2932

  • apollo-engine-reporting: Behavior change: The engine.maskErrorDetails option, deprecated by engine.rewriteError in v2.5.0, now behaves a bit more like the new option: while all error messages will be redacted, they will still show up on the appropriate nodes in a trace. PR #​2932

  • apollo-server-core, @apollo/gateway: Introduced managed federation support. For more information on managed federation, see the blog post or jump to the documentation for managed federation.

  • @apollo/gateway@0.7.1: Don't print a warning about an unspecified "graph variant" (previously, and in many ways still, known as "schema tag") every few seconds. We do highly recommend specifying one when using the Apollo Platform features though! PR #​3043

  • graphql-playground: Update to resolve incorrect background color on tabs when using the light theme. PR #​2989 Issue #​2979

  • graphql-playground: Fix "Query Planner" and "Tracing" panels which were off the edge of the viewport.

  • apollo-server-plugin-base: Fix GraphQLRequestListener type definitions to allow return void. PR #​2368

v2.6.9

Compare Source

v2.6.8

Compare Source

v2.6.7

Compare Source

See complete versioning details.

  • apollo-server-core: Guard against undefined property access in isDirectiveDefined which resulted in "Cannot read property 'some' of undefined" error. PR #​2924 Issue #​2921

v2.6.6

Compare Source

See complete versioning details.

  • apollo-server-core: Avoid duplicate cacheControl directives being added via isDirectiveDefined, re-landing the implementation reverted in v2.6.1 which first surfaced in v2.6.0. PR #​2762 Reversion PR #​2754 Original PR #​2428
  • apollo-server-testing: Add TypeScript types for apollo-server-testing client. PR #​2871
  • apollo-server-plugin-response-cache: Fix undefined property access attempt which occurred when an incomplete operation was received. PR #​2792 Issue #​2745

v2.6.5

Compare Source

See complete versioning details.

  • apollo-engine-reporting: Simplify the technique for capturing operationName. PR #​2899
  • apollo-server-core: Fix regression in 2.6.0 which caused engine: false not to disable Engine when the ENGINE_API_KEY environment variable was set. PR #​2850
  • @apollo/federation: Introduced a README.md. PR #​2883
  • @apollo/gateway: Introduced a README.md. PR #​2883

v2.6.4

Compare Source

See complete versioning details.

  • @apollo/gateway: Pass context through to the graphql command in LocalGraphQLDataSource's process method. PR #​2821
  • @apollo/gateway: Fix gateway not sending needed variables for subqueries not at the root level. PR #​2867
  • @apollo/federation: Allow matching enums/scalars in separate services and validate that enums have matching values. PR #​2829.
  • @apollo/federation: Strip @external fields from interface extensions. PR #​2848
  • @apollo/federation: Add support for list type keys in federation. PR #​2841
  • @apollo/federation: Deduplicate variable definitions for sub-queries. PR #​2840

v2.6.3

Compare Source

See complete versioning details.

  • apollo-engine-reporting: Set forbiddenOperation and registeredOperation later in the request lifecycle. PR #​2828
  • apollo-server-core: Add queryHash to GraphQLExecutor for federation. PR #​2822
  • @apollo/federation: Preserve descriptions from SDL of federated services. PR #​2830

v2.6.2

Compare Source

  • apollo-engine-reporting-protobuf: Update protobuf to include forbiddenOperations and registeredOperations. PR #​2768
  • apollo-server-core: Add forbiddenOperation and registeredOperation to GraphQLRequestMetrics type. PR #​2768
  • apollo-engine-reporting: Set forbiddenOperation and registeredOperation on trace if the field is true on requestContext.metrics. PR #​2768
  • apollo-server-lambda: Remove Object.fromEntries usage. PR #​2787

v2.6.1

Compare Source

  • Revert: Don't add cacheControl directive if one has already been defined. Presently, although the TypeScript don't suggest it, passing a String as typeDefs to ApolloServer is supported and this would be a breaking change for non-TypeScript users. PR #​2428

v2.6.0

Compare Source

  • apollo-server-core: Introduce new didEncounterErrors life-cycle hook which has access to unformatted errors property on the requestContext, which is the first positional parameter that this new request life-cycle receives. PR #​2719
  • apollo-server-core: Allow request pipeline life-cycle hooks (i.e. plugins) to modify the response's http.status code (an integer) in the event of an error. When combined with the new didEncounterErrors life-cycle hook (see above), this will allow modifying the HTTP status code in the event of an error. PR #​2714
  • apollo-server-lambda: Set callbackWaitsForEmptyEventLoop to false for OPTIONS requests to return as soon as the callback is triggered instead of waiting for the event loop to empty. PR #​2638
  • apollo-server: Support onHealthCheck in the ApolloServer constructor in the same way as cors is supported. This contrasts with the -express, -hapi, etc. variations which accept this parameter via their applyMiddleware methods and will remain as-is. PR #​2672
  • core: Expose SHA-512 hex hash digest of the Engine API key to plugins, when available, as engine.apiKeyHash. PR #​2685 PR #​2736
  • apollo-datasource-rest: If another Content-type is already set on the response, don't overwrite it with application/json, allowing the user's initial Content-type to prevail. PR #​2520
  • Don't add cacheControl directive if one has already been defined. PR #​2428
  • apollo-cache-control: Do not respond with Cache-control headers if the HTTP response contains errors. PR #​2715
  • apollo-server-core: Skip loading util.promisify polyfill in Node.js engines >= 8.0 PR #​2278
  • apollo-server-core: Lazy load subscriptions-transport-ws in core PR #​2278
  • apollo-server-cache-redis: BREAKING FOR USERS OF apollo-server-cache-redis (This is a package that must be updated separately but shares the same CHANGELOG.md with Apollo Server itself.) A new major version of this package has been published and updated to support Redis Standalone, Cluster and Sentinel modes. This is a breaking change since it is now based on ioredis instead of node_redis. Although this update is compatible with the most common uses of apollo-server-cache-redis, please check the options supported by ioredis while updating to this version. The constructor options are passed directly from RedisCache to the new Redis adapter. The pre-1.0 versions should continue to work with Apollo Server without modification. PR #​1770

v2.5.1

Compare Source

  • Upgrade GraphQL Playground to the latest upstream release. This release also includes a new "Query Plan" panel for displaying the query planning results when running the Apollo Gateway.

v2.5.0

Compare Source

New
  • New plugin package apollo-server-plugin-response-cache implementing a full query response cache based on apollo-cache-control hints. The implementation added a few hooks and context fields; see the PR for details. There is a slight change to cacheControl object: previously, cacheControl.stripFormattedExtensions defaulted to false if you did not provide a cacheControl option object, but defaulted to true if you provided (eg) cacheControl: {defaultMaxAge: 10}. Now stripFormattedExtensions defaults to false unless explicitly provided as true, or if you use the legacy boolean cacheControl: true. For more information, read the documentation. PR #​2437
  • Add rewriteError option to EngineReportingOptions (i.e. the engine property of the ApolloServer constructor). When defined as a function, it will receive an err property as its first argument which can be used to manipulate (e.g. redaction) an error prior to sending it to Apollo Engine by modifying, e.g., its message property. The error can also be suppressed from reporting entirely by returning an explicit null value. For more information, read the documentation and the EngineReportingOptions API reference. maskErrorDetails is now deprecated. PR #​1639
  • apollo-server-azure-functions: Support @azure/functions to enable Apollo Server [Typescript development in Azure Functions](https://azure.microsoft.com/en-us/blog/improving-the-typescrip

Configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box.

This PR has been generated by WhiteSource Renovate. View repository job log here.

@renovate renovate bot force-pushed the renovate/npm-apollo-server-vulnerability branch from aa06f6f to 42a253d Compare August 25, 2020 01:55
@renovate renovate bot force-pushed the renovate/npm-apollo-server-vulnerability branch from 42a253d to 3e24f0d Compare October 27, 2020 10:00
@renovate renovate bot force-pushed the renovate/npm-apollo-server-vulnerability branch from 3e24f0d to 0a8b56e Compare November 28, 2020 13:56
@renovate renovate bot force-pushed the renovate/npm-apollo-server-vulnerability branch from 0a8b56e to 57b0616 Compare December 10, 2020 16:57
@renovate renovate bot force-pushed the renovate/npm-apollo-server-vulnerability branch 2 times, most recently from 897c350 to b8541f4 Compare January 10, 2021 13:44
@renovate renovate bot force-pushed the renovate/npm-apollo-server-vulnerability branch 2 times, most recently from 3610d67 to 1d2e2f8 Compare January 31, 2021 09:56
@renovate renovate bot force-pushed the renovate/npm-apollo-server-vulnerability branch 2 times, most recently from 18802db to d4122bd Compare February 10, 2021 17:00
@renovate renovate bot force-pushed the renovate/npm-apollo-server-vulnerability branch from d4122bd to 9f088be Compare April 26, 2021 14:34
@renovate renovate bot force-pushed the renovate/npm-apollo-server-vulnerability branch from 9f088be to 8e9626e Compare May 9, 2021 23:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@renovate-bot