From b7e7cd163fac34e139ceaaf47be025e0185327fd Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 29 Oct 2024 11:30:57 -0700 Subject: [PATCH] Version Packages (#7953) This PR was opened by the [Changesets release](https://github.com/changesets/action) GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated. # Releases ## @apollo/server-integration-testsuite@4.11.1 ### Patch Changes - [#7952](https://github.com/apollographql/apollo-server/pull/7952) [`bb81b2c`](https://github.com/apollographql/apollo-server/commit/bb81b2c6b794dcd98fea9d01e4e38c6450287f53) Thanks [@glasser](https://github.com/glasser)! - Upgrade dependencies so that automated scans don't detect a vulnerability. `@apollo/server` depends on `express` which depends on `cookie`. Versions of `express` older than v4.21.1 depend on a version of `cookie` vulnerable to CVE-2024-47764. Users of older `express` versions who call `res.cookie()` or `res.clearCookie()` may be vulnerable to this issue. However, Apollo Server does not call this function directly, and it does not expose any object to user code that allows TypeScript users to call this function without an unsafe cast. The only way that this direct dependency can cause a vulnerability for users of Apollo Server is if you call `startStandaloneServer` with a context function that calls Express-specific methods such as `res.cookie()` or `res.clearCookies()` on the response object, which is a violation of the TypeScript types provided by `startStandaloneServer` (which only promise that the response object is a core Node.js `http.ServerResponse` rather than the Express-specific subclass). So this vulnerability can only affect Apollo Server users who use unsafe JavaScript or unsafe `as` typecasts in TypeScript. However, this upgrade will at least prevent vulnerability scanners from alerting you to this dependency, and we encourage all Express users to upgrade their project's own `express` dependency to v4.21.1 or newer. - Updated dependencies \[[`bb81b2c`](https://github.com/apollographql/apollo-server/commit/bb81b2c6b794dcd98fea9d01e4e38c6450287f53)]: - @apollo/server@4.11.1 ## @apollo/server@4.11.1 ### Patch Changes - [#7952](https://github.com/apollographql/apollo-server/pull/7952) [`bb81b2c`](https://github.com/apollographql/apollo-server/commit/bb81b2c6b794dcd98fea9d01e4e38c6450287f53) Thanks [@glasser](https://github.com/glasser)! - Upgrade dependencies so that automated scans don't detect a vulnerability. `@apollo/server` depends on `express` which depends on `cookie`. Versions of `express` older than v4.21.1 depend on a version of `cookie` vulnerable to CVE-2024-47764. Users of older `express` versions who call `res.cookie()` or `res.clearCookie()` may be vulnerable to this issue. However, Apollo Server does not call this function directly, and it does not expose any object to user code that allows TypeScript users to call this function without an unsafe cast. The only way that this direct dependency can cause a vulnerability for users of Apollo Server is if you call `startStandaloneServer` with a context function that calls Express-specific methods such as `res.cookie()` or `res.clearCookies()` on the response object, which is a violation of the TypeScript types provided by `startStandaloneServer` (which only promise that the response object is a core Node.js `http.ServerResponse` rather than the Express-specific subclass). So this vulnerability can only affect Apollo Server users who use unsafe JavaScript or unsafe `as` typecasts in TypeScript. However, this upgrade will at least prevent vulnerability scanners from alerting you to this dependency, and we encourage all Express users to upgrade their project's own `express` dependency to v4.21.1 or newer. Co-authored-by: github-actions[bot] --- .changeset/young-guests-joke.md | 14 -------------- package-lock.json | 8 ++++---- packages/integration-testsuite/CHANGELOG.md | 17 +++++++++++++++++ packages/integration-testsuite/package.json | 4 ++-- packages/server/CHANGELOG.md | 14 ++++++++++++++ packages/server/package.json | 2 +- 6 files changed, 38 insertions(+), 21 deletions(-) delete mode 100644 .changeset/young-guests-joke.md diff --git a/.changeset/young-guests-joke.md b/.changeset/young-guests-joke.md deleted file mode 100644 index 075a967ec46..00000000000 --- a/.changeset/young-guests-joke.md +++ /dev/null @@ -1,14 +0,0 @@ ---- -'@apollo/server-integration-testsuite': patch -'@apollo/server': patch ---- - -Upgrade dependencies so that automated scans don't detect a vulnerability. - -`@apollo/server` depends on `express` which depends on `cookie`. Versions of `express` older than v4.21.1 depend on a version of `cookie` vulnerable to CVE-2024-47764. Users of older `express` versions who call `res.cookie()` or `res.clearCookie()` may be vulnerable to this issue. - -However, Apollo Server does not call this function directly, and it does not expose any object to user code that allows TypeScript users to call this function without an unsafe cast. - -The only way that this direct dependency can cause a vulnerability for users of Apollo Server is if you call `startStandaloneServer` with a context function that calls Express-specific methods such as `res.cookie()` or `res.clearCookies()` on the response object, which is a violation of the TypeScript types provided by `startStandaloneServer` (which only promise that the response object is a core Node.js `http.ServerResponse` rather than the Express-specific subclass). So this vulnerability can only affect Apollo Server users who use unsafe JavaScript or unsafe `as` typecasts in TypeScript. - -However, this upgrade will at least prevent vulnerability scanners from alerting you to this dependency, and we encourage all Express users to upgrade their project's own `express` dependency to v4.21.1 or newer. diff --git a/package-lock.json b/package-lock.json index b0d1bca3852..4b9f93920d5 100644 --- a/package-lock.json +++ b/package-lock.json @@ -14472,12 +14472,12 @@ }, "packages/integration-testsuite": { "name": "@apollo/server-integration-testsuite", - "version": "4.11.0", + "version": "4.11.1", "license": "MIT", "dependencies": { "@apollo/cache-control-types": "^1.0.3", "@apollo/client": "^3.6.9", - "@apollo/server": "4.11.0", + "@apollo/server": "4.11.1", "@apollo/usage-reporting-protobuf": "^4.1.1", "@apollo/utils.createhash": "^2.0.0", "@apollo/utils.keyvaluecache": "^2.1.0", @@ -14516,7 +14516,7 @@ }, "packages/server": { "name": "@apollo/server", - "version": "4.11.0", + "version": "4.11.1", "license": "MIT", "dependencies": { "@apollo/cache-control-types": "^1.0.3", @@ -14806,7 +14806,7 @@ "requires": { "@apollo/cache-control-types": "^1.0.3", "@apollo/client": "^3.6.9", - "@apollo/server": "4.11.0", + "@apollo/server": "4.11.1", "@apollo/usage-reporting-protobuf": "^4.1.1", "@apollo/utils.createhash": "^2.0.0", "@apollo/utils.keyvaluecache": "^2.1.0", diff --git a/packages/integration-testsuite/CHANGELOG.md b/packages/integration-testsuite/CHANGELOG.md index c12c51d4d3a..597726c483f 100644 --- a/packages/integration-testsuite/CHANGELOG.md +++ b/packages/integration-testsuite/CHANGELOG.md @@ -1,5 +1,22 @@ # @apollo/server-integration-testsuite +## 4.11.1 + +### Patch Changes + +- [#7952](https://github.com/apollographql/apollo-server/pull/7952) [`bb81b2c`](https://github.com/apollographql/apollo-server/commit/bb81b2c6b794dcd98fea9d01e4e38c6450287f53) Thanks [@glasser](https://github.com/glasser)! - Upgrade dependencies so that automated scans don't detect a vulnerability. + + `@apollo/server` depends on `express` which depends on `cookie`. Versions of `express` older than v4.21.1 depend on a version of `cookie` vulnerable to CVE-2024-47764. Users of older `express` versions who call `res.cookie()` or `res.clearCookie()` may be vulnerable to this issue. + + However, Apollo Server does not call this function directly, and it does not expose any object to user code that allows TypeScript users to call this function without an unsafe cast. + + The only way that this direct dependency can cause a vulnerability for users of Apollo Server is if you call `startStandaloneServer` with a context function that calls Express-specific methods such as `res.cookie()` or `res.clearCookies()` on the response object, which is a violation of the TypeScript types provided by `startStandaloneServer` (which only promise that the response object is a core Node.js `http.ServerResponse` rather than the Express-specific subclass). So this vulnerability can only affect Apollo Server users who use unsafe JavaScript or unsafe `as` typecasts in TypeScript. + + However, this upgrade will at least prevent vulnerability scanners from alerting you to this dependency, and we encourage all Express users to upgrade their project's own `express` dependency to v4.21.1 or newer. + +- Updated dependencies [[`bb81b2c`](https://github.com/apollographql/apollo-server/commit/bb81b2c6b794dcd98fea9d01e4e38c6450287f53)]: + - @apollo/server@4.11.1 + ## 4.11.0 ### Patch Changes diff --git a/packages/integration-testsuite/package.json b/packages/integration-testsuite/package.json index 730fac55c92..ba6e3a08c64 100644 --- a/packages/integration-testsuite/package.json +++ b/packages/integration-testsuite/package.json @@ -1,6 +1,6 @@ { "name": "@apollo/server-integration-testsuite", - "version": "4.11.0", + "version": "4.11.1", "description": "Test suite for Apollo Server integrations", "main": "dist/index.js", "types": "dist/index.d.ts", @@ -28,7 +28,7 @@ "dependencies": { "@apollo/cache-control-types": "^1.0.3", "@apollo/client": "^3.6.9", - "@apollo/server": "4.11.0", + "@apollo/server": "4.11.1", "@apollo/usage-reporting-protobuf": "^4.1.1", "@apollo/utils.createhash": "^2.0.0", "@apollo/utils.keyvaluecache": "^2.1.0", diff --git a/packages/server/CHANGELOG.md b/packages/server/CHANGELOG.md index f691b4afc30..b35ef16b6e3 100644 --- a/packages/server/CHANGELOG.md +++ b/packages/server/CHANGELOG.md @@ -1,5 +1,19 @@ # @apollo/server +## 4.11.1 + +### Patch Changes + +- [#7952](https://github.com/apollographql/apollo-server/pull/7952) [`bb81b2c`](https://github.com/apollographql/apollo-server/commit/bb81b2c6b794dcd98fea9d01e4e38c6450287f53) Thanks [@glasser](https://github.com/glasser)! - Upgrade dependencies so that automated scans don't detect a vulnerability. + + `@apollo/server` depends on `express` which depends on `cookie`. Versions of `express` older than v4.21.1 depend on a version of `cookie` vulnerable to CVE-2024-47764. Users of older `express` versions who call `res.cookie()` or `res.clearCookie()` may be vulnerable to this issue. + + However, Apollo Server does not call this function directly, and it does not expose any object to user code that allows TypeScript users to call this function without an unsafe cast. + + The only way that this direct dependency can cause a vulnerability for users of Apollo Server is if you call `startStandaloneServer` with a context function that calls Express-specific methods such as `res.cookie()` or `res.clearCookies()` on the response object, which is a violation of the TypeScript types provided by `startStandaloneServer` (which only promise that the response object is a core Node.js `http.ServerResponse` rather than the Express-specific subclass). So this vulnerability can only affect Apollo Server users who use unsafe JavaScript or unsafe `as` typecasts in TypeScript. + + However, this upgrade will at least prevent vulnerability scanners from alerting you to this dependency, and we encourage all Express users to upgrade their project's own `express` dependency to v4.21.1 or newer. + ## 4.11.0 ### Minor Changes diff --git a/packages/server/package.json b/packages/server/package.json index 7ff67e6fff7..9b9d2888701 100644 --- a/packages/server/package.json +++ b/packages/server/package.json @@ -1,6 +1,6 @@ { "name": "@apollo/server", - "version": "4.11.0", + "version": "4.11.1", "description": "Core engine for Apollo GraphQL server", "type": "module", "main": "dist/cjs/index.js",