router icon indicating copy to clipboard operation
router copied to clipboard
verified publisher icon apollographql

fix(deps): update rust crate async-graphql to v7 [security]

Open renovate[bot] opened this issue 1 year ago • 3 comments

This PR contains the following updates:

Package Type Update Change
async-graphql dependencies major 6 -> 7

GitHub Vulnerability Alerts

CVE-2024-47614

Impact

  • Service Disruption: The server may become unresponsive or extremely slow, potentially leading to downtime.
  • Resource Exhaustion: Excessive use of server resources, such as CPU and memory, could negatively impact other services running on the same infrastructure.
  • User Experience Degradation: Users may experience delays or failures when accessing the service, which could lead to frustration and loss of trust in the service.

Patches

  1. Upgrade to v7.0.10
  2. Use SchemaBuilder.limit_directives to limit the maximum number of directives for a single field.

Release Notes

async-graphql/async-graphql (async-graphql)

v7.0.10

  • add SchemeBuilder.limit_directives method to set the maximum number of directives on a single field.
  • remove needless ?Sized #​1593
  • fix: generate each variant description correctly. #​1589
  • Make From<T> for [Error] set source #​1561
  • feat(graphiql): add support for WS connection params #​1597

v7.0.9

  • add on_ping callback to WebSocket

v7.0.8

  • chore: Make Extensions nullable #​1563
  • expose rejection in async_graphql_axum #​1571
  • Updated crate time to 3.36, as it fixes a compilation error in rust 1.80 #​1572
  • Impl Debug for dynamic::FieldValue & Improve error messages for its methods #​1582
  • Support scraping #[doc = ...] attributes when generating descriptions #​1581
  • add Websocket::keepalive_timeout method to sets a timeout for receiving an acknowledgement of the keep-alive ping.

v7.0.7

  • Support raw values from serde_json #​1554
  • The custom directive ARGUMENT_DEFINITION is not being output at the appropriate location in SDL #​1559
  • Support for JSON extended representations of BSON ObjectId and Uuid #​1542
  • feat: get directives from SelectionField #​1548
  • Support Directives on Subscriptions #​1500
  • fix subscription err typo #​1556

v7.0.6

  • add license files to each project #​1523
  • Improve alignment of directive behavior with GraphQL spec #​1524
  • dynamic schema: pass default vals to ResolverContext #​1527
  • Add altair source #​1530
  • feat: Add support for using Interface and OneofObject on the same struct #​1534

v7.0.5

  • Fix compiler and clippy warnings #​1501
  • Added support for deploying to wasm targets with axum - (without subscriptions) #​1517
  • Bump opentelemetry (0.21.0 -> 0.22.0) #​1513
  • Update lru dependency #​1504
  • Support TypeDirective for ArgumentDefinition, Enum, EnumValue, InputFieldDefinition, InputObject, Interface #​1509
  • Add display attribute for Enum macro #​1518

v7.0.3

  • Sort schema fields & enums if required #​1475
  • Change the type_name of EmptySubscription fix #​1435 #​1475
  • add Request::set_parsed_query method #​1483
  • Upgrade strum to 0.26 #​1485
  • Fix validation of non-nullable variables with default values #​1491
  • add NextExecute::run_with_data method to attach context data before execution
  • feat: add registry method in dynamic::Registry #​1492
  • Allow non-scalars to be used as directive arguments #​1493
  • fix: add description to __schema introspection result #​1489

v7.0.2

  • Fix #[derive(OneofObject)] rejecting enums where the type comes from a macro subsitution #​1473
  • Optimize object proc-macro codegen #​1470
  • Use impl Future instead of async-trait in most traits. #​1468
  • Upgrade base64 to 0.21 #​1466
  • Standardize space between Args, Lists and Binary items #​1392
  • feat: support bigdecimal 0.4.x #​1358

v7.0.1

v7.0.0

  • upgrade to http1
  • Feature extend ResolveInfo with field attribute #​1428

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • [ ] If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate[bot] avatar Oct 03 '24 18:10 renovate[bot]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Cargo.lock
Command failed: cargo update --config net.git-fetch-with-cli=true --manifest-path fuzz/subgraph/Cargo.toml --package [email protected] --precise 7.0.10
warning: profiles for the non root package will be ignored, specify profiles at the workspace root:
package:   /tmp/renovate/repos/github/apollographql/router/apollo-router-scaffold/scaffold-test/Cargo.toml
workspace: /tmp/renovate/repos/github/apollographql/router/Cargo.toml
    Updating crates.io index
error: failed to select a version for the requirement `async-graphql = "^6.0.11"`
candidate versions found which didn't match: 7.0.10
location searched: crates.io index
required by package `async-graphql-axum v6.0.11`
    ... which satisfies dependency `async-graphql-axum = "^6"` (locked to 6.0.11) of package `everything-subgraph v0.1.0 (/tmp/renovate/repos/github/apollographql/router/fuzz/subgraph)`

renovate[bot] avatar Oct 03 '24 18:10 renovate[bot]

@renovate[bot], please consider creating a changeset entry in /.changesets/. These instructions describe the process and tooling.

github-actions[bot] avatar Oct 03 '24 18:10 github-actions[bot]

CI performance tests

  • [ ] connectors-const - Connectors stress test that runs with a constant number of users
  • [x] const - Basic stress test that runs with a constant number of users
  • [ ] demand-control-instrumented - A copy of the step test, but with demand control monitoring and metrics enabled
  • [ ] demand-control-uninstrumented - A copy of the step test, but with demand control monitoring enabled
  • [ ] enhanced-signature - Enhanced signature enabled
  • [ ] events - Stress test for events with a lot of users and deduplication ENABLED
  • [ ] events_big_cap_high_rate - Stress test for events with a lot of users, deduplication enabled and high rate event with a big queue capacity
  • [ ] events_big_cap_high_rate_callback - Stress test for events with a lot of users, deduplication enabled and high rate event with a big queue capacity using callback mode
  • [ ] events_callback - Stress test for events with a lot of users and deduplication ENABLED in callback mode
  • [ ] events_without_dedup - Stress test for events with a lot of users and deduplication DISABLED
  • [ ] events_without_dedup_callback - Stress test for events with a lot of users and deduplication DISABLED using callback mode
  • [ ] extended-reference-mode - Extended reference mode enabled
  • [ ] large-request - Stress test with a 1 MB request payload
  • [ ] no-tracing - Basic stress test, no tracing
  • [ ] reload - Reload test over a long period of time at a constant rate of users
  • [ ] step-jemalloc-tuning - Clone of the basic stress test for jemalloc tuning
  • [ ] step-local-metrics - Field stats that are generated from the router rather than FTV1
  • [ ] step-with-prometheus - A copy of the step test with the Prometheus metrics exporter enabled
  • [x] step - Basic stress test that steps up the number of users over time
  • [ ] xlarge-request - Stress test with 10 MB request payload
  • [ ] xxlarge-request - Stress test with 100 MB request payload

router-perf[bot] avatar Oct 03 '24 18:10 router-perf[bot]

✅ Docs Preview Ready

No new or changed pages found.

svc-apollo-docs avatar Nov 29 '24 17:11 svc-apollo-docs

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

renovate[bot] avatar Nov 29 '24 17:11 renovate[bot]

Note that this package is used in our fuzz-testing and not an actual runtime dependency.

abernix avatar Nov 29 '24 18:11 abernix

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 7.x releases. But if you manually upgrade to 7.x then Renovate will re-enable minor and patch updates automatically.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

renovate[bot] avatar Nov 29 '24 18:11 renovate[bot]