Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update all non-major dependencies #7

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update all non-major dependencies #7

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Aug 3, 2022
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence Type Update
@apollo/server-integration-testsuite (source) 4.0.0-alpha.2 -> 4.11.2 age adoption passing confidence devDependencies minor
@apollo/utils.withrequired (source) 1.0.0 -> 1.0.1 age adoption passing confidence devDependencies patch
@types/aws-lambda (source) 8.10.101 -> 8.10.146 age adoption passing confidence devDependencies patch
@types/jest (source) 28.1.6 -> 28.1.8 age adoption passing confidence devDependencies patch
jest-junit 14.0.0 -> 14.0.1 age adoption passing confidence devDependencies patch
node (source) 16.16.0 -> 16.20.2 age adoption passing confidence volta minor
npm (source) 8.15.1 -> 8.19.4 age adoption passing confidence volta minor
prettier (source) 2.7.1 -> 2.8.8 age adoption passing confidence devDependencies minor
ts-jest (source) 28.0.7 -> 28.0.8 age adoption passing confidence devDependencies patch
ts-node (source) 10.9.1 -> 10.9.2 age adoption passing confidence devDependencies patch
typescript (source) 4.7.4 -> 4.9.5 age adoption passing confidence devDependencies minor

Release Notes

apollographql/apollo-server (@​apollo/server-integration-testsuite)

v4.11.2

Compare Source

Patch Changes

v4.11.1

Compare Source

Patch Changes

  • #​7952 bb81b2c Thanks @​glasser! - Upgrade dependencies so that automated scans don't detect a vulnerability.

    @apollo/server depends on express which depends on cookie. Versions of express older than v4.21.1 depend on a version of cookie vulnerable to CVE-2024-47764. Users of older express versions who call res.cookie() or res.clearCookie() may be vulnerable to this issue.

    However, Apollo Server does not call this function directly, and it does not expose any object to user code that allows TypeScript users to call this function without an unsafe cast.

    The only way that this direct dependency can cause a vulnerability for users of Apollo Server is if you call startStandaloneServer with a context function that calls Express-specific methods such as res.cookie() or res.clearCookies() on the response object, which is a violation of the TypeScript types provided by startStandaloneServer (which only promise that the response object is a core Node.js http.ServerResponse rather than the Express-specific subclass). So this vulnerability can only affect Apollo Server users who use unsafe JavaScript or unsafe as typecasts in TypeScript.

    However, this upgrade will at least prevent vulnerability scanners from alerting you to this dependency, and we encourage all Express users to upgrade their project's own express dependency to v4.21.1 or newer.

  • Updated dependencies [bb81b2c]:

v4.11.0

Compare Source

Patch Changes

v4.10.5

Compare Source

Patch Changes

v4.10.4

Compare Source

Patch Changes

v4.10.3

Compare Source

Patch Changes

v4.10.2

Compare Source

Patch Changes

v4.10.1

Compare Source

Patch Changes

v4.10.0

Compare Source

Minor Changes
  • #​7786 869ec98 Thanks @​ganemone! - Restore missing v1 skipValidation option as dangerouslyDisableValidation. Note that enabling this option exposes your server to potential security and unexpected runtime issues. Apollo will not support issues that arise as a result of using this option.
Patch Changes

v4.9.5

Compare Source

Patch Changes

v4.9.4

Compare Source

Patch Changes

v4.9.3

Compare Source

Patch Changes

v4.9.2

Compare Source

Patch Changes

v4.9.1

Compare Source

Patch Changes

v4.9.0

Compare Source

Patch Changes

v4.8.1

Compare Source

Patch Changes

v4.8.0

Compare Source

Patch Changes

v4.7.5

Compare Source

Patch Changes

v4.7.4

Compare Source

Patch Changes

  • #​7604 aeb511c7d Thanks @​renovate! - Update graphql-http dependency

  • 0adaf80d1 Thanks @​trevor-scheer! - Address Content Security Policy issues

    The previous implementation of CSP nonces within the landing pages did not take full advantage of the security benefit of using them. Nonces should only be used once per request, whereas Apollo Server was generating one nonce and reusing it for the lifetime of the instance. The reuse of nonces degrades the security benefit of using them but does not pose a security risk on its own. The CSP provides a defense-in-depth measure against a potential XSS, so in the absence of a known XSS vulnerability there is likely no risk to the user.

    The mentioned fix also coincidentally addresses an issue with using crypto functions on startup within Cloudflare Workers. Crypto functions are now called during requests only, which resolves the error that Cloudflare Workers were facing. A recent change introduced a precomputedNonce configuration option to mitigate this issue, but it was an incorrect approach given the nature of CSP nonces. This configuration option is now deprecated and should not be used for any reason since it suffers from the previously mentioned issue of reusing nonces.

    Additionally, this change adds other applicable CSPs for the scripts, styles, images, manifest, and iframes that the landing pages load.

    A final consequence of this change is an extension of the renderLandingPage plugin hook. This hook can now return an object with an html property which returns a Promise<string> in addition to a string (which was the only option before).

  • Updated dependencies [0adaf80d1]:

v4.7.3

Compare Source

Patch Changes

v4.7.2

Compare Source

Patch Changes

v4.7.1

Compare Source

Patch Changes

v4.7.0

Compare Source

Patch Changes

v4.6.0

Compare Source

Patch Changes

v4.5.0

Compare Source

Patch Changes

v4.4.1

Compare Source

Patch Changes

v4.4.0

Compare Source

Patch Changes

v4.3.3

Compare Source

Patch Changes

v4.3.2

Compare Source

Patch Changes

v4.3.1

Compare Source

Patch Changes

v4.3.0

Compare Source

Patch Changes

v4.2.2

Compare Source

Patch Changes

v4.2.1

Compare Source

Patch Changes

v4.2.0

Compare Source

Minor Changes

  • #​7171 37b3b7fb5 Thanks @​glasser! - If a POST body contains a non-string operationName or a non-object variables or extensions, fail with status code 400 instead of ignoring the field.

    In addition to being a reasonable idea, this provides more compliance with the "GraphQL over HTTP" spec.

    This is a backwards incompatible change, but we are still early in the Apollo Server 4 adoption cycle and this is in line with the change already made in Apollo Server 4 to reject requests providing variables or extensions as strings. If this causes major problems for users who have already upgraded to Apollo Server 4 in production, we can consider reverting or partially reverting this change.

Patch Changes

v4.1.1

Compare Source

Patch Changes

v4.1.0

Compare Source

Minor Changes

  • 2a2d1e3b4 Thanks @​glasser! - The cache-control HTTP response header set by the cache control plugin now properly reflects the cache policy of all operations in a batched HTTP request. (If you write the cache-control response header via a different mechanism to a format that the plugin would not produce, the plugin no longer writes the header.) For more information, see advisory GHSA-8r69-3cvp-wxc3.

  • 2a2d1e3b4 Thanks @​glasser! - Plugins processing multiple operations in a batched HTTP request now have a shared requestContext.request.http object. Changes to HTTP response headers and HTTP status code made by plugins operating on one operation can be immediately seen by plugins operating on other operations in the same HTTP request.

  • 2a2d1e3b4 Thanks @​glasser! - New field GraphQLRequestContext.requestIsBatched available to plugins.

  • #​7114 c1651bfac Thanks @​trevor-scheer! - Directly depend on Apollo Server rather than as a peer

Patch Changes

v4.0.5

Compare Source

Patch Changes

v4.0.4

Compare Source

Patch Changes

v4.0.3

Compare Source

Patch Changes

  • #​7073 e7f524eac Thanks @​glasser! - Never interpret GET requests as batched. In previous versions of Apollo Server 4, a GET request whose body was a JSON array with N elements would be interpreted as a batch of the operation specified in the query string repeated N times. Now we just ignore the body for GET requests (like in Apollo Server 3), and never treat them as batched.

  • #​7071 0ed389ce8 Thanks @​glasser! - Fix v4 regression: gateway implementations should be able to set HTTP response headers and the status code.

  • Updated dependencies [e7f524eac, 0ed389ce8]:

v4.0.2

Compare Source

Patch Changes

v4.0.1

Compare Source

Patch Changes

v4.0.0

Compare Source

Initial release of @apollo/server-integration-testsuite.

v4.0.0-rc.18

Compare Source

Patch Changes

v4.0.0-rc.17

Compare Source

Patch Changes

v4.0.0-rc.16

[Compare Source](https://redirect.github.com/apollographql/apollo-server/compare/@apollo/server-int

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/all-minor-patch branch 2 times, most recently from 5ebd878 to 463c632 Compare August 6, 2022 11:43
@renovate renovate bot changed the title chore(deps): update dependency @apollo/server-integration-testsuite to v4.0.0-alpha.2 chore(deps): update dependency npm to v8.16.0 Aug 6, 2022
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from 463c632 to f22c3a2 Compare August 9, 2022 21:39
@renovate renovate bot changed the title chore(deps): update dependency npm to v8.16.0 chore(deps): update all non-major dependencies to v4.0.0-alpha.3 Aug 10, 2022
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from f22c3a2 to bbe55b5 Compare August 10, 2022 10:51
@renovate renovate bot changed the title chore(deps): update all non-major dependencies to v4.0.0-alpha.3 chore(deps): update all non-major dependencies Aug 10, 2022
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 10 times, most recently from e6278b7 to c35c0df Compare August 17, 2022 12:57
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 4 times, most recently from d0592f0 to 7fbf252 Compare August 24, 2022 11:33
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 7 times, most recently from 87e42ef to 91a9840 Compare September 2, 2022 00:18
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from 91a9840 to a30b31f Compare September 5, 2022 20:01
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 2 times, most recently from 2e1a59a to 7bdc469 Compare November 30, 2023 16:34
@renovate renovate bot requested a review from trevor-scheer as a code owner November 30, 2023 16:34
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from 7bdc469 to 7f4f6d3 Compare December 8, 2023 12:17
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 2 times, most recently from 603e9cf to 62bb490 Compare January 4, 2024 21:37
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 3 times, most recently from a3494d9 to 71d620a Compare January 30, 2024 12:52
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from 71d620a to 1a7f07a Compare February 18, 2024 00:05
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from 1a7f07a to 1894fd3 Compare March 5, 2024 22:12
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from 1894fd3 to 4a36fbb Compare March 22, 2024 20:47
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from 4a36fbb to 71a3c64 Compare April 5, 2024 09:52
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 2 times, most recently from efaeabe to a1cb84b Compare April 18, 2024 17:02
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from a1cb84b to 764af7a Compare May 16, 2024 18:44
@renovate Renovate
Copy link
Contributor Author

renovate bot commented May 16, 2024
edited
Loading

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json
npm warn cli npm v10.9.1 does not support Node.js v16.20.2. This version of npm supports the following node versions: `^18.17.0 || >=20.5.0`. You can find the latest version at https://nodejs.org/.
npm error code ERESOLVE
npm error ERESOLVE unable to resolve dependency tree
npm error
npm error While resolving: server-v4-integration-demos@undefined
npm error Found: [email protected]
npm error node_modules/graphql
npm error   dev graphql@"16.5.0" from the root project
npm error   peer graphql@"^16.5.0" from [email protected]
npm error   packages/fastify
npm error     [email protected]
npm error     node_modules/apollo-server-integration-fastify
npm error       workspace packages/fastify from the root project
npm error   1 more (apollo-server-integration-lambda)
npm error
npm error Could not resolve dependency:
npm error peer graphql@"^16.6.0" from @apollo/[email protected]
npm error node_modules/@apollo/server-integration-testsuite
npm error   dev @apollo/server-integration-testsuite@"4.11.2" from the root project
npm error
npm error Fix the upstream dependency conflict, or retry
npm error this command with --force or --legacy-peer-deps
npm error to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /tmp/renovate/cache/others/npm/_logs/2024-11-25T22_35_55_353Z-eresolve-report.txt
npm error A complete log of this run can be found in: /tmp/renovate/cache/others/npm/_logs/2024-11-25T22_35_55_353Z-debug-0.log

@renovate renovate bot force-pushed the renovate/all-minor-patch branch 2 times, most recently from d823f02 to 903bf3d Compare June 18, 2024 02:24
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from 903bf3d to d8fc8fa Compare July 9, 2024 22:18
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 2 times, most recently from c5e9cbe to 1550181 Compare July 24, 2024 15:16
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 2 times, most recently from 9b8f0d5 to 3682fae Compare August 8, 2024 19:20
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 2 times, most recently from 996e7b5 to 73a91ac Compare August 28, 2024 01:52
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 2 times, most recently from ee5b534 to d8327e7 Compare October 30, 2024 01:53
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from d8327e7 to 1768ff1 Compare November 25, 2024 22:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@trevor-scheer trevor-scheer Awaiting requested review from trevor-scheer trevor-scheer is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
🎄 dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants