chore(deps): update apollo graphql packages #255
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
4.9.5
->4.11.2
3.13.0
->4.0.0
This is a special PR that replaces
apollo-server-express
with the community suggested minimal stable replacement version.Release Notes
apollographql/apollo-server (@apollo/server)
v4.11.2
Compare Source
(No change; there is a change to the
@apollo/server-integration-testsuite
used to test integrations, and the two packages always have matching versions.)v4.11.1
Compare Source
Patch Changes
#7952
bb81b2c
Thanks @glasser! - Upgrade dependencies so that automated scans don't detect a vulnerability.@apollo/server
depends onexpress
which depends oncookie
. Versions ofexpress
older than v4.21.1 depend on a version ofcookie
vulnerable to CVE-2024-47764. Users of olderexpress
versions who callres.cookie()
orres.clearCookie()
may be vulnerable to this issue.However, Apollo Server does not call this function directly, and it does not expose any object to user code that allows TypeScript users to call this function without an unsafe cast.
The only way that this direct dependency can cause a vulnerability for users of Apollo Server is if you call
startStandaloneServer
with a context function that calls Express-specific methods such asres.cookie()
orres.clearCookies()
on the response object, which is a violation of the TypeScript types provided bystartStandaloneServer
(which only promise that the response object is a core Node.jshttp.ServerResponse
rather than the Express-specific subclass). So this vulnerability can only affect Apollo Server users who use unsafe JavaScript or unsafeas
typecasts in TypeScript.However, this upgrade will at least prevent vulnerability scanners from alerting you to this dependency, and we encourage all Express users to upgrade their project's own
express
dependency to v4.21.1 or newer.v4.11.0
Compare Source
Minor Changes
#7916
4686454
Thanks @andrewmcgivery! - AddhideSchemaDetailsFromClientErrors
option to ApolloServer to allow hiding 'did you mean' suggestions from validation errors.Even with introspection disabled, it is possible to "fuzzy test" a graph manually or with automated tools to try to determine the shape of your schema. This is accomplished by taking advantage of the default behavior where a misspelt field in an operation
will be met with a validation error that includes a helpful "did you mean" as part of the error text.
For example, with this option set to
true
, an error would readCannot query field "help" on type "Query".
whereas with this option set tofalse
it would readCannot query field "help" on type "Query". Did you mean "hello"?
.We recommend enabling this option in production to avoid leaking information about your schema to malicious actors.
To enable, set this option to
true
in yourApolloServer
options:v4.10.5
Compare Source
Patch Changes
#7821
b2e15e7
Thanks @renovate! - Non-major dependency updates#7900
86d7111
Thanks @trevor-scheer! - Inline a small dependency that was causing build issues for ESM projectsv4.10.4
Compare Source
Patch Changes
18a3827
Thanks @tninesling! - Subscription heartbeats are initialized prior to awaiting subscribe(). This allows long-running setup to happen in the returned Promise without the subscription being terminated prior to resolution.v4.10.3
Compare Source
Patch Changes
5f335a5
Thanks @tninesling! - Catch errors thrown by subscription generators, and gracefully clean up the subscription instead of crashing.v4.10.2
Compare Source
Patch Changes
c7e514c
Thanks @TylerBloom! - In the subscription callback server plugin, terminating a subscription now immediately closes the internal async generator. This avoids that generator existing after termination and until the next message is received.v4.10.1
Compare Source
Patch Changes
72f568e
Thanks @bscherlein! - Improves timing of thewillResolveField
end hook on fields which return Promises resolving to Arrays. This makes the use of thesetCacheHint
method more reliable.v4.10.0
Compare Source
Minor Changes
#7786
869ec98
Thanks @ganemone! - Restore missing v1skipValidation
option asdangerouslyDisableValidation
. Note that enabling this option exposes your server to potential security and unexpected runtime issues. Apollo will not support issues that arise as a result of using this option.#7803
e9a0d6e
Thanks @favna! - allowstringifyResult
to return aPromise<string>
Users who implemented the
stringifyResult
hook can now expect error responses to be formatted with the hook as well. Please take care when updating to this version to ensure this is the desired behavior, or implement the desired behavior accordingly in yourstringifyResult
hook. This was considered a non-breaking change as we consider that it was an oversight in the original PR that introducedstringifyResult
hook.Patch Changes
#7793
9bd7748
Thanks @bnjjj! - General availability of subscription callback protocol#7799
63dc50f
Thanks @stijnbe! - Fix type of ApolloServerPluginUsageReporting reportTimer#7740
fe68c1b
Thanks @barnisanov! - Uninstalledbody-parser
and usedexpress
built-inbody-parser
functionality instead(mainly the json middleware)Configuration
📅 Schedule: Branch creation - "after 10pm every weekday,before 5am every weekday" in timezone Europe/London, Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.