Update dependency apollo-server-express to v2.14.2 [SECURITY]

[renovate[bot]]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
apollo-server-express	2.12.0 -> 2.14.2

GitHub Vulnerability Alerts

GHSA-w42g-7vfc-xf37

We encourage all users of Apollo Server to read this advisory in its entirety to understand the impact. The Resolution section contains details on patched versions.

Impact

If subscriptions: false is passed to the ApolloServer constructor options, there is no impact. If implementors were not expecting validation rules to be enforced on the WebSocket subscriptions transport and are unconcerned about introspection being enabled on the WebSocket subscriptions transport (or were not expecting that), then this advisory is not applicable. If introspection: true is passed to the ApolloServer constructor options, the impact is limited to user-provided validation rules (i.e., using validationRules) since there would be no expectation that introspection was disabled.

The enforcement of user-provided validation rules on the HTTP transport is working as intended and is unaffected by this advisory. Similarly, disabling introspection on the HTTP transport is working as intended and is unaffected by this advisory.

Note: Unless subscriptions: false is explicitly passed to the constructor parameters of new ApolloServer({ ... }), subscriptions are enabled by default, whether or not there is a Subscription type present in the schema. As an alternative to upgrading to a patched version, see the Workarounds section below to disable subscriptions if it is not necessary.

In cases where subscriptions: false is not explicitly set, the subscription server is impacted since validation rules which are enforced on the main request pipeline within Apollo Server were not being passed to the SubscriptionServer.create invocation (seen here, prior to the patch).

The omitted validation rules for the subscription server include any validationRules passed by implementors to the ApolloServer constructor which were expected to be enforced on the subscriptions WebSocket endpoint. Additionally, because an internal NoIntrospection validation rule is used to disable introspection, it would have been possible to introspect a server on the WebSocket endpoint that the SubscriptionServer creates even though it was not possible on other transports (e.g. HTTP).

The severity of risk depends on whether sensitive information is being stored in the schema itself. The contents of schema descriptions, or secrets which might be revealed by the names of types or field names within those types, will determine the risk to individual implementors.

Affected packages

The bug existed in apollo-server-core versions prior to version 2.14.2, however, this means all integration packages (e.g., apollo-server-express, etc.) prior to version 2.14.2 which depend on apollo-server-core for their subscriptions support are affected. This includes the apollo-server package that automatically provides an Express server.

Therefore, for officially published Apollo Server packages, the full list of affected packages includes: apollo-server, apollo-server-azure-functions, apollo-server-cache-memcached, apollo-server-core, apollo-server-cloud-functions, apollo-server-cloudflare, apollo-server-express, apollo-server-fastify, apollo-server-hapi, apollo-server-koa, apollo-server-lambda, and apollo-server-micro.

Note: The full list included here doesn't fit into the box provided by the GitHub Security Advisories form.

Resolution

The problem is resolved in Apollo Server versions 2.14.2 or higher. If upgrading is not an option, see Workarounds below. When upgrading, ensure that the affected integration package (e.g., apollo-server-express) and the apollo-server-core package are both updated to the patched versions. (The version numbers should both be 2.14.2.)

Workarounds

Upgrading to a patched version is the recommended solution. If upgrading is not an option, subscriptions can be disabled with subscriptions: false to resolve the impact. Disabling subscriptions in this way will disable all subscriptions support and the WebSocket transport:

const server = new ApolloServer({
  subscriptions: false,
  /* Other options, such as typeDefs, resolvers, schema, etc. */
});

For more information

If you have any questions or comments about this advisory, please open an issue and the maintainers will try to assist.

Credit and appreciation

Apollo fully believes in ethical disclosure of vulnerabilities by security researchers who notify us with details and provide us time to address and fix the issues before publicly disclosing.

Credit for this discovery goes to the team at Bitwala, who reported the concern to us responsibly after discovering it during their own auditing.

---

Release Notes

apollographql/apollo-server

v2.14.2

Compare Source

Note: This release is is related to a GitHub Security Advisory published by the Apollo Server team. Please read the attached advisory to understand the impact.

• ⚠️ SECURITY: Pass all schema validation rules to the subscription server, including validation rules that restrict introspection when introspection is meant to be disabled. Read the full GitHub Security Advisory for details.

v2.14.1

Compare Source

See complete versioning details.

• apollo-server-testing: Ensure that user-provided context is cloned when using createTestClient, per the instructions in the integration testing section of the Apollo Server documentation. Issue #​4170 PR #​4175

v2.14.0

Compare Source

See complete versioning details.

• apollo-server-core / apollo-server-plugin-base: Add support for willResolveField and corresponding end-handler within executionDidStart. This brings the remaining bit of functionality that was previously only available from graphql-extensions to the new plugin API. The graphql-extensions API (which was never documented) will be deprecated in Apollo Server 3.x. To see the documentation for the request pipeline API, see its documentation. For more details, see the attached PR. PR #​3988

• apollo-server-core: Deprecate graphql-extensions. All internal usages of the graphql-extensions API have been migrated to the request pipeline plugin API. For any implementor-supplied extensions, a deprecation warning will be printed once per-extension, per-server-startup, notifying of the intention to deprecate. Extensions should migrate to the plugin API, which is outlined in its documentation. PR #​4135

• apollo-engine-reporting: Currently only for non-federated graphs. Added an experimental schema reporting option, experimental_schemaReporting, for Apollo Graph Manager users. During this experiment, we'd appreciate testing and feedback from current and new users of the schema registry!

  Prior to the introduction of this feature, the only way to get schemas into the schema registry in Apollo Graph Manager was to use the CLI and run apollo schema:push. Apollo schema reporting protocol is a new specification for GraphQL servers to automatically report schemas to the Apollo Graph Manager schema registry.

  To enable schema reporting, provide a Graph Manager API key (available free from Apollo Graph Manager) in the APOLLO_KEY environment variable and set the experimental_schemaReporting option to true in the Apollo Server constructor options, like so:

  const server = new ApolloServer({
    typeDefs,
    resolvers,
    engine: {
      experimental_schemaReporting: true,
      /* Other existing options can remain the same. */
    },
  });
  

  When enabled, a schema reporter is initiated by the apollo-engine-reporting agent. It will loop until the ApolloServer instance is stopped, periodically calling back to Apollo Graph Manager to send information. The life-cycle of this reporter is managed by the agent.

  For more details on the implementation of this new protocol, see the PR which introduced it to Apollo Server and the preview documentation.

  PR #​4084

• apollo-engine-reporting: The underlying integration of this plugin, which instruments and traces the graph's resolver performance and transmits these metrics to Apollo Graph Manager, has been changed from the (soon to be deprecated) graphql-extensions API to the new request pipeline plugins API. PR #​3998

  This change should be purely an implementation detail for a majority of users. There are, however, some special considerations which are worth noting:

  • The federated tracing plugin's ftv1 response on extensions (which is present on the response from an implementing service to the gateway) is now placed on the extensions after the formatResponse hook. Anyone leveraging the extensions.ftv1 data from the formatResponse hook will find that it is no longer present at that phase.

• apollo-tracing: This package's internal integration with Apollo Server has been switched from using the soon-to-be-deprecated graphql-extensions API to using the request pipeline plugin API. Behavior should remain otherwise the same. PR #​3991

• apollo-cache-control: This package's internal integration with Apollo Server has been switched from using the soon-to-be-deprecated graphql-extensions API to using the request pipeline plugin API. Behavior should remain otherwise the same. PR #​3997

v2.13.1

Compare Source

v2.13.0

Compare Source

See complete versioning details.

• Allow passing a WebSocket.Server to ApolloServer.installSubscriptionHandlers. PR #​2314
• apollo-server-lambda: Support file uploads on AWS Lambda Issue #​1419 Issue #​1703 PR #​3926
• apollo-engine-reporting: Fix inadvertent conditional formatting which prevented automated persisted query (APQ) hits and misses from being reported to Apollo Graph Manager. PR #​3986
• apollo-engine-reporting: Deprecate the ENGINE_API_KEY environment variable in favor of its new name, APOLLO_KEY. Continued use of ENGINE_API_KEY will result in deprecation warnings and support for it will be removed in a future major version. #​3923
• apollo-engine-reporting: Deprecated the APOLLO_SCHEMA_TAG environment variable in favor of its new name, APOLLO_GRAPH_VARIANT. Similarly, within the engine configuration object, the schemaTag property has been renamed graphVariant. The functionality remains otherwise unchanged, but their new names mirror the name used within Apollo Graph Manager. Continued use of the now-deprecated names will result in deprecation warnings and support will be dropped completely in the next "major" update. To avoid misconfiguration, a runtime error will be thrown if both new and deprecated names are set. PR #​3855
• apollo-engine-reporting-protobuf: (This is a breaking change only if you directly depend on apollo-engine-reporting-protobuf.) Drop legacy fields that were never used by apollo-engine-reporting. Added new fields StatsContext to allow apollo-server to send summary stats instead of full traces, and renamed FullTracesReport to Report and Traces to TracesAndStats since reports now can include stats as well as traces.

---

Configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• [ ] If you want to rebase/retry this PR, click this checkbox.

---

This PR has been generated by WhiteSource Renovate. View repository job log here.