Nestjs-Learning
Nestjs-Learning copied to clipboard
dzzzzzy
fix(deps): update dependency apollo-server-express to v2.14.2 [security]
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| apollo-server-express | 2.7.0 -> 2.14.2 |
GitHub Vulnerability Alerts
GHSA-w42g-7vfc-xf37
We encourage all users of Apollo Server to read this advisory in its entirety to understand the impact. The Resolution section contains details on patched versions.
Impact
If subscriptions: false is passed to the ApolloServer constructor options, there is no impact. If implementors were not expecting validation rules to be enforced on the WebSocket subscriptions transport and are unconcerned about introspection being enabled on the WebSocket subscriptions transport (or were not expecting that), then this advisory is not applicable. If introspection: true is passed to the ApolloServer constructor options, the impact is limited to user-provided validation rules (i.e., using validationRules) since there would be no expectation that introspection was disabled.
The enforcement of user-provided validation rules on the HTTP transport is working as intended and is unaffected by this advisory. Similarly, disabling introspection on the HTTP transport is working as intended and is unaffected by this advisory.
Note: Unless
subscriptions: falseis explicitly passed to the constructor parameters ofnew ApolloServer({ ... }), subscriptions are enabled by default, whether or not there is aSubscriptiontype present in the schema. As an alternative to upgrading to a patched version, see the Workarounds section below to disable subscriptions if it is not necessary.
In cases where subscriptions: false is not explicitly set, the subscription server is impacted since validation rules which are enforced on the main request pipeline within Apollo Server were not being passed to the SubscriptionServer.create invocation (seen here, prior to the patch).
The omitted validation rules for the subscription server include any validationRules passed by implementors to the ApolloServer constructor which were expected to be enforced on the subscriptions WebSocket endpoint. Additionally, because an internal NoIntrospection validation rule is used to disable introspection, it would have been possible to introspect a server on the WebSocket endpoint that the SubscriptionServer creates even though it was not possible on other transports (e.g. HTTP).
The severity of risk depends on whether sensitive information is being stored in the schema itself. The contents of schema descriptions, or secrets which might be revealed by the names of types or field names within those types, will determine the risk to individual implementors.
Affected packages
The bug existed in apollo-server-core versions prior to version 2.14.2, however, this means all integration packages (e.g., apollo-server-express, etc.) prior to version 2.14.2 which depend on apollo-server-core for their subscriptions support are affected. This includes the apollo-server package that automatically provides an Express server.
Therefore, for officially published Apollo Server packages, the full list of affected packages includes: apollo-server, apollo-server-azure-functions, apollo-server-cache-memcached, apollo-server-core, apollo-server-cloud-functions, apollo-server-cloudflare, apollo-server-express, apollo-server-fastify, apollo-server-hapi, apollo-server-koa, apollo-server-lambda, and apollo-server-micro.
Note: The full list included here doesn't fit into the box provided by the GitHub Security Advisories form.
Resolution
The problem is resolved in Apollo Server versions 2.14.2 or higher. If upgrading is not an option, see Workarounds below. When upgrading, ensure that the affected integration package (e.g., apollo-server-express) and the apollo-server-core package are both updated to the patched versions. (The version numbers should both be 2.14.2.)
Workarounds
Upgrading to a patched version is the recommended solution. If upgrading is not an option, subscriptions can be disabled with subscriptions: false to resolve the impact. Disabling subscriptions in this way will disable all subscriptions support and the WebSocket transport:
const server = new ApolloServer({
subscriptions: false,
/* Other options, such as typeDefs, resolvers, schema, etc. */
});
For more information
If you have any questions or comments about this advisory, please open an issue and the maintainers will try to assist.
Credit and appreciation
Apollo fully believes in ethical disclosure of vulnerabilities by security researchers who notify us with details and provide us time to address and fix the issues before publicly disclosing.
Credit for this discovery goes to the team at Bitwala, who reported the concern to us responsibly after discovering it during their own auditing.
Release Notes
apollographql/apollo-server
v2.14.2
Note: This release is is related to a GitHub Security Advisory published by the Apollo Server team. Please read the attached advisory to understand the impact.
- ⚠️ SECURITY: Pass all schema validation rules to the subscription server, including validation rules that restrict introspection when introspection is meant to be disabled. Read the full GitHub Security Advisory for details.
v2.14.1
-
apollo-server-testing: Ensure that user-provided context is cloned when usingcreateTestClient, per the instructions in the integration testing section of the Apollo Server documentation. Issue #4170 PR #4175
v2.14.0
-
apollo-server-core/apollo-server-plugin-base: Add support forwillResolveFieldand corresponding end-handler withinexecutionDidStart. This brings the remaining bit of functionality that was previously only available fromgraphql-extensionsto the new plugin API. Thegraphql-extensionsAPI (which was never documented) will be deprecated in Apollo Server 3.x. To see the documentation for the request pipeline API, see its documentation. For more details, see the attached PR. PR #3988 -
apollo-server-core: Deprecategraphql-extensions. All internal usages of thegraphql-extensionsAPI have been migrated to the request pipeline plugin API. For any implementor-suppliedextensions, a deprecation warning will be printed once per-extension, per-server-startup, notifying of the intention to deprecate. Extensions should migrate to the plugin API, which is outlined in its documentation. PR #4135 -
apollo-engine-reporting: Currently only for non-federated graphs. Added an experimental schema reporting option,experimental_schemaReporting, for Apollo Graph Manager users. During this experiment, we'd appreciate testing and feedback from current and new users of the schema registry!Prior to the introduction of this feature, the only way to get schemas into the schema registry in Apollo Graph Manager was to use the CLI and run
apollo schema:push. Apollo schema reporting protocol is a new specification for GraphQL servers to automatically report schemas to the Apollo Graph Manager schema registry.To enable schema reporting, provide a Graph Manager API key (available free from Apollo Graph Manager) in the
APOLLO_KEYenvironment variable and set theexperimental_schemaReportingoption totruein the Apollo Server constructor options, like so:const server = new ApolloServer({ typeDefs, resolvers, engine: { experimental_schemaReporting: true, /* Other existing options can remain the same. */ }, });When enabled, a schema reporter is initiated by the
apollo-engine-reportingagent. It will loop until theApolloServerinstance is stopped, periodically calling back to Apollo Graph Manager to send information. The life-cycle of this reporter is managed by the agent.For more details on the implementation of this new protocol, see the PR which introduced it to Apollo Server and the preview documentation.
-
apollo-engine-reporting: The underlying integration of this plugin, which instruments and traces the graph's resolver performance and transmits these metrics to Apollo Graph Manager, has been changed from the (soon to be deprecated)graphql-extensionsAPI to the new request pipelinepluginsAPI. PR #3998This change should be purely an implementation detail for a majority of users. There are, however, some special considerations which are worth noting:
- The federated tracing plugin's
ftv1response onextensions(which is present on the response from an implementing service to the gateway) is now placed on theextensionsafter theformatResponsehook. Anyone leveraging theextensions.ftv1data from theformatResponsehook will find that it is no longer present at that phase.
- The federated tracing plugin's
-
apollo-tracing: This package's internal integration with Apollo Server has been switched from using the soon-to-be-deprecatedgraphql-extensionsAPI to using the request pipeline plugin API. Behavior should remain otherwise the same. PR #3991 -
apollo-cache-control: This package's internal integration with Apollo Server has been switched from using the soon-to-be-deprecatedgraphql-extensionsAPI to using the request pipeline plugin API. Behavior should remain otherwise the same. PR #3997
v2.13.1
v2.13.0
- Allow passing a
WebSocket.ServertoApolloServer.installSubscriptionHandlers. PR #2314 -
apollo-server-lambda: Support file uploads on AWS Lambda Issue #1419 Issue #1703 PR #3926 -
apollo-engine-reporting: Fix inadvertent conditional formatting which prevented automated persisted query (APQ) hits and misses from being reported to Apollo Graph Manager. PR #3986 -
apollo-engine-reporting: Deprecate theENGINE_API_KEYenvironment variable in favor of its new name,APOLLO_KEY. Continued use ofENGINE_API_KEYwill result in deprecation warnings and support for it will be removed in a future major version. #3923 -
apollo-engine-reporting: Deprecated theAPOLLO_SCHEMA_TAGenvironment variable in favor of its new name,APOLLO_GRAPH_VARIANT. Similarly, within theengineconfiguration object, theschemaTagproperty has been renamedgraphVariant. The functionality remains otherwise unchanged, but their new names mirror the name used within Apollo Graph Manager. Continued use of the now-deprecated names will result in deprecation warnings and support will be dropped completely in the next "major" update. To avoid misconfiguration, a runtime error will be thrown if both new and deprecated names are set. PR #3855 -
apollo-engine-reporting-protobuf: (This is a breaking change only if you directly depend onapollo-engine-reporting-protobuf.) Drop legacy fields that were never used byapollo-engine-reporting. Added new fieldsStatsContextto allowapollo-serverto send summary stats instead of full traces, and renamedFullTracesReporttoReportandTracestoTracesAndStatssince reports now can include stats as well as traces.
v2.12.0
-
apollo-server-core: Support providing a custom logger implementation (e.g.winston,bunyan, etc.) to capture server console messages. Though there has historically been limited output from Apollo Server, some messages are important to capture in the larger context of production logging facilities or can benefit from using more advanced structure, like JSON-based logging. This also introduces aloggerproperty to theGraphQLRequestContextthat is exposed to plugins, making it possible for plugins to leverage the same server-level logger, and allowing implementors to create request-specific log contexts, if desired. When not provided, these will still output toconsole. PR #3894 -
apollo-server-core: When operating in gateway mode using thegatewayproperty of the Apollo Server constructor options, the failure to initialize a schema during initial start-up, e.g. connectivity problems, will no longer result in the federated executor from being assigned when the schema eventually becomes available. This precludes a state where the gateway may never become available to serve federated requests, even when failure conditions are no longer present. PR #3811 -
apollo-server-core: Prevent a condition which prefixed an error message on each request when the initial gateway initialization resulted in a Promise-rejection which was memoized and re-prepended withInvalid options provided to ApolloServer:on each request. PR #3811 -
apollo-server-express: Disable the automatic inclusion of thex-powered-by: expressheader. PR #3821 -
apollo-engine-reporting: Avoid creating new arrays when building trace trees. PR #3479 -
apollo-server-core: BumpgraphqlpeerDependenciesrange to include^15.0.0. PR #3944
v2.11.0
- The range of accepted
peerDependenciesversions forgraphqlhas been widened to includegraphql@^15.0.0-rc.2so as to accommodate the latest release-candidate of thegraphql@15package, and an intention to support it when it is finally released on thelatestnpm tag. While this change will subdue peer dependency warnings for Apollo Server packages, many dependencies from outside of this repository will continue to raise similar warnings until those packages ownpeerDependenciesare updated. It is unlikely that all of those packages will update their ranges prior to the final version ofgraphql@15being released, but if everything is working as expected, the warnings can be safely ignored. PR #3825
v2.10.1
-
apollo-server-core: Update GraphQL Playground to latest version to remove a rogue curly-brace appearing in the top-right corner of the interface under certain conditions. PR #3702 Playground PR -
apollo-server-core: Typings: Allow thecacheproperty insidepersistedQueriesto be optional. This was already optional at runtime where it defaults to the top-level global cache when unspecified, but with the introduction of thettlproperty, it now makes sense that one may be provided without the other. #3671
v2.10.0
-
apollo-server-express: SupportCorsOptionsDelegatetype oncorsparameter toapplyMiddleware, to align with the supported type of the underlyingcorsmiddleware itself. #3613 -
apollo-server-core: Allow asynchronous initialization of datasources: theinitializemethod on datasources may now return a Promise, which will be settled before any resolvers are called. #3639 -
apollo-server-core: experimental: Allow configuration of the parsed/validated document store by introducing anexperimental_approximateDocumentStoreMiBproperty to theApolloServerconstructor options which overrides the default cache size of 30MiB. #3755
v2.9.16
-
apollo-server-core: Update apollo-tooling dependencies, resolve TS build error (missing types for node-fetch) #3662
v2.9.15
-
apollo-engine-reporting: Fix regression introduced by #3614 which causedPersistedQueryNotFoundError,PersistedQueryNotSupportedErrorandInvalidGraphQLRequestErrorerrors to be triggered before therequestDidStarthandler triggeredtreeBuilder'sstartTimingmethod. This fix preserves the existing behavior by special-casing these specific errors. #3638 fixes #3627 -
apollo-server-cloud-functions: Transmit CORS headers onOPTIONSrequest. #3557 -
apollo-server-caching: De-compose options interface forKeyValueCache.prototype.setto accommodate better TSDoc annotations for its properties (e.g. to specify thatttlis defined in seconds). #3619 -
apollo-server-core,apollo-server-caching: Introduce attlproperty, specified in seconds, on the options for automated persisted queries (APQ) which applies specific TTL settings to the cachesets during APQ registration. Previously, all APQ cache records were set to 300 seconds. Additionally, this adds support (to the underlyingapollo-server-cachingmechanisms) for a time-to-live (TTL) value ofnullwhich, when supported by the cache implementation, skips the assignment of a TTL value altogether. This allows the cache's controller to determine when eviction happens (e.g. cache forever, and purge least recently used when the cache is full), which may be desireable for network cache stores (e.g. Memcached, Redis). #3623 -
apollo-server-core: Upgrade TS to 3.7.3 #3618
v2.9.14
-
apollo-server-core: Ensure that plugin'sdidEncounterErrorshooks are invoked for known automated persisted query (APQ) errors. #3614 -
apollo-server-plugin-base: MoveTContextgeneric fromrequestDidStartmethod toApolloServerPluginInterface. #3525
v2.9.13
-
@apollo/gateway: Add@types/node-fetchas a regular dependency to avoid missing dependency for TypeScript consumers. #3546 fixes #3471 -
apollo-engine-reporting: Declare acceptablegraphqlversions ranges inpeerDependenciesrather than allowing it to occur implicitly (and less ideally) via its consumers (e.g. mostapollo-server-*packages). #3496
v2.9.12
- Reinstate #3530 via #3539 - after a patch release of the
@apollo/protobufjsfork, the build issue for consumers should be resolved.
v2.9.11
- Revert #3530 via #3535- the introduction of the
@apollo/protobufjsfork is causing TS errors in consumer projects. Reverting this change for now, and will reintroduce it after the issue is resolved within the forked package.
v2.9.10
-
apollo-engine-reporting: Swap usage ofprotobufjsfor a newly published fork located at@apollo/protobufjs. This is to account for the relative uncertainty into the continued on-going maintenance of the officialprotobuf.jsproject. This should immediately resolve a bug that affectedLongtypes inapollo-engine-reportingand other non-Apollo projects that rely onprotobuf.js'sLongtype. #3530
v2.9.9
-
apollo-server-core: Don't try parsingvariablesandextensionsas JSON if they are defined but empty strings. #3501 -
apollo-server-lambda: IntroduceonHealthCheckoncreateHandlerin the same fashion as implemented in other integrations. #3458 -
apollo-server-core: Usegraphql'sisSchemato more defensively check the user-specified schema's type at runtime and prevent unexpected errors. #3462
v2.9.8
-
apollo-server-core: Provide accurate type forformatResponserather than genericFunctiontype. #3431 -
apollo-server-core: Pass complete request context toformatResponse, rather than justcontext. #3431
v2.9.7
-
apollo-server-errors: FixApolloErrorbug andGraphQLErrorspec compliance #3408
v2.9.6
-
@apollo/gateway,@apollo/federation,apollo-engine-reporting: Updateapollo-graphqldependency to bring inapollo-tooling's #1551 which resolve runtime errors when its source is minified. While this fixes a particular minification bug when Apollo Server packages are minified, we do not recommend minification of server code in most cases. #3387 fixes #3335 -
apollo-server-koa: Correctly declare dependency onkoa-compose. #3356 -
apollo-server-core: Preserve anyextensionsthat have been placed on the response when pre-execution errors occur. #3394
v2.9.5
v2.9.4
v2.9.3
-
apollo-server-express: Add direct dependency onexpressto allow for usage ofexpress.RouterforgetMiddlewarefunctionality (from #2435). Previously, unlike other server integration packages,apollo-server-expressdid not directly needexpressas a dependency since it only relied onexpressfor TypeScript typings. #3239 fixes #3238 -
apollo-server-lambda: Add@types/aws-lambdaas a direct dependency toapollo-server-expressto allow usage of its typings without needing to separately install it. #3242 fixes #2351
v2.9.2
-
apollo-server-koa: Drop support for Node.js v6 within the Apollo Server Koa integration in order to updatekoa-bodyparserdependency fromv3.0.0tov4.2.1. #3229 fixes #3050 -
apollo-server-express: Use explicit return type for newgetMiddlewaremethod. #3230 (hopefully) fixes #3222
v2.9.1
-
apollo-server-core: Update apollo-tooling dependencies, resolve TS build error (missing types for node-fetch) #3662
v2.9.0
-
apollo-server-express,apollo-server-koa: A newgetMiddlewaremethod has been introduced, which accepts the same parameters asapplyMiddlewarewith the exception of theappproperty. This allows implementors to obtain the middleware directly and "use" it within an existingapp. In the near-term, this should ease some of the pain points with the previous technique. Longer-term, we are exploring what we consider to be a much more natural approach by introducing an "HTTP transport" in Apollo Server 3.x. See this proposal issue for more information. #2435 -
@apollo/federation:buildFederatedSchema'stypeDefsparameter now accepts arrays ofDocumentNodes (i.e. type definitions wrapped ingql) andresolversto make the migration from a single service into a federated service easier for teams previously utilizing this pattern. #3188
v2.8.2
-
apollo-server-koa: Update dependency koa to v2.8.1. PR #3175 -
apollo-server-express: Update types exported by the ASE package. PR #3173 PR #3172
v2.8.1
-
apollo-engine-reporting: Fix reporting errors which have non-arraypathfields (eg, non-GraphQLError errors). PR #3112 -
apollo-engine-reporting: Add missingapollo-server-cachingdependency. PR #3054 -
apollo-server-hapi: Revert switch fromacceptandboomwhich took place in v2.8.0. PR #3089 -
@apollo/gateway: Change thesetIntervaltimer, which is used to continuously check for updates to a federated graph from the Apollo Graph Manager, to be anunref'd timer. Without this change, the server wouldn't terminate properly once polling had started since the event-loop would continue to have unprocessed events on it. PR #3105 - Switch to using community
@types/graphql-uploadtypes. -
apollo-server-fastify: Change the typing of the HTTPresponsefromOutgoingMessagetoServerResponse. Commit -
apollo-server-hapi: Pass therawrequest and response objects tographql-uploadsprocessRequestmethod to align on the same TypeScript types. Commit
v2.8.0
-
@apollo/federation: Add support for "value types", which are type definitions which live on multiple services' types, inputs, unions or interfaces. These common types must be identical by name, kind and field across all services. PR #3063 -
apollo-server-express: Use the Expresssendmethod, rather than callingnet.Socket.prototype.end. PR #2842 -
apollo-server-hapi: Update internal dependencies to use scoped packages@hapi/acceptand@hapi/boom, in place ofacceptandboomrespectively. PR #3089
v2.7.2
-
apollo-engine-reporting: Fix reporting errors from backend. (The support for federated metrics introduced in v2.7.0 did not properly handle GraphQL errors from the backend; all users of federated metrics should upgrade to this version.) PR #3056 Issue #3052 -
apollo-engine-reporting: Clean upSIGINTandSIGTERMhandlers whenEngineReportingAgentis stopped; fixes 'Possible EventEmitter memory leak detected' log. PR #3090
v2.7.1
-
apollo-engine-reporting: If an error is thrown by a custom variable transform function passed into the reporting optionsendVariableValues: { transform: ... }, all variable values will be replaced with the string[PREDICATE_FUNCTION_ERROR]. -
apollo-server-express: Typing fix for theconnectionproperty, which was missing from theExpressContextinterface. PR #2959 -
@apollo/gateway: Ensure execution of correct document within multi-operation documents by including theoperationNamein the cache key used when caching query plans used in federated execution. PR #3084
Configuration
📅 Schedule: "" (UTC).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, click this checkbox.
This PR has been generated by WhiteSource Renovate. View repository job log here.
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}