Bump apollo-server from 2.14.2 to 2.26.0 in /backend
Created by: dependabot[bot]
Bumps apollo-server from 2.14.2 to 2.26.0.
Changelog
Sourced from apollo-server's changelog.
v2.26.0
- Backport [PR #5537](apollographql/apollo-server#5537) from Apollo Server 3. This fixes a TypeScript declaration relating to the Fetch API. We believe this will make it possible to use Apollo Server 2 with Apollo Gateway 0.52.0. (This change does not provide any functionality other than hopefully fixing some TypeScript builds, so if it turns out that this breaks your TypeScript build instead, just don't take the upgrade. We encourage you to upgrade to actively supported Apollo major versions instead.) [PR #6829](apollographql/apollo-server#6829)
v2.25.4
⚠ ️ SECURITY: If your server does not explicitly enablegraphql-upload
support via theuploads
option tonew ApolloServer
and your schema does not use theUpload
scalar (other than in its own definition), Apollo Server will not process themultipart/form-data
requests sent bygraphql-upload
clients. This fixes a Cross-Site Request Forgery (CSRF) vulnerability where origins could cause browsers to execute mutations using a user's cookies even when those origins are not allowed by your CORS policy. If you do use uploads in your server, the vulnerability still exists with this version; you should instead upgrade to Apollo Server v3.7 and enable the CSRF prevention feature. (The AS3.7 CSRF prevention feature also protects against other forms of CSRF such as timing attacks against read-only query operations.) See advisory GHSA-2p3c-p3qw-69r4 for more details.v2.25.3
⚠ ️ SECURITYapollo-server-core
: Update default version of the GraphQL Playground React app loaded from the CDN to be@apollographql/graphql-playground-react@1.7.42
. This patches an XSS vulnerability. Note that if you are pinning the Playground React app version in your app withnew ApolloServer({playground: {version: 'some version'}})
, you will need to update the specified version to 1.7.42 or later to avoid this vulnerability. If you disable GraphQL Playground withnew ApolloServer({playground: false})
, this vulnerability does not affect you. See advisory GHSA-qm7x-rc44-rrqw for more details.v2.25.2
apollo-server-express
: Update dependencies on@types/express
and@types/express-serve-static-core
. [PR #5352](apollographql/apollo-server#5352)v2.25.1
apollo-server-core
,apollo-server-express
: Upgradesubscriptions-transport-ws
dependency and remove unneeded runtime dependency onws
. This should enable you to install Apollo Server without depending on versions ofws
vulnerable to CVE-2021-32640. Note that the superficial integration of the unmaintainedsubscriptions-transport-ws
package will be removed in Apollo Server 3; you can also avoid this vulnerability by disabling the built-in subscription support withnew ApolloServer({subscriptions: false})
and using a maintained package such asgraphql-ws
instead. (Instead of taking this upgrade, you can also upgradews
to5.2.3
, which was just released.)v2.25.0
apollo-server-core
: You may now specify your Studio graph as a graph ref (id@variant
) via theAPOLLO_GRAPH_REF
environment variable ornew ApolloServer({apollo: {graphRef}})
instead of specifying graph ID and graph variant separately. Theapollo
object passed to pluginserverWillStart
and to gatewayload
now contains agraphRef
field.apollo-server-core
: Fix a race condition where schema reporting could lead to a delay at process shutdown. [PR #5222](apollographql/apollo-server#5222)apollo-server-core
: Allow the Fetch API implementation to be overridden for the schema reporting and usage reporting plugins via a newfetcher
option. [PR #5179](apollographql/apollo-server#5179)apollo-server-core
: Theserver.executeOperation
method (designed for testing) can now take itsquery
as aDocumentNode
(eg, agql
-tagged string) in addition to as a string. (This matches the behavior of theapollo-server-testing
createTestClient
function which is now deprecated.) We now recommend this method instead ofapollo-server-testing
in our docs. [Issue #4952](apollographql/apollo-server#4952)apollo-server-testing
: Replace README with a deprecation notice explaining how to useserver.executeOperation
instead. [Issue #4952](apollographql/apollo-server#4952)v2.24.1
apollo-server-core
: Fix a typo that could lead to TypeScript compilation when combined with a recent version of@types/node
. (This bug had no runtime effect.) [PR #5149](apollographql/apollo-server#5149)v2.24.0
apollo-server-core
: Apollo Studio usage reporting uses a more efficient format which sends fewer detailed traces to Apollo's server. This change should not have a major effect on the experience of using Apollo Studio. [PR #4142](apollographql/apollo-server#4142)v2.23.0
apollo-server-core
: Add optional argument toApolloServer.executeOperation
allowing the caller to manually specify an argument to theconfig
function analogous to that provided by integration packages. [PR #4166](apollographql/apollo-server#4166) [Issue #2886](apollographql/apollo-server#2886)apollo-server-cache-redis@1.4.0
: NewBaseRedisCache
class which takes anioredis
-compatible Redis client as an argument. The existing classesRedisCache
andRedisClusterCache
(which pass their arguments toioredis
constructors) are now implemented in terms of this class. This allows you to use any of theioredis
constructor forms rather than just the ones recognized by our classes. This also fixes a long-standing bug where the Redis cache implementations returned a number fromdelete()
; it now returns a number, matching what theKeyValueCache
interface and the TypeScript types expect. [PR #5034](apollographql/apollo-server#5034) [PR #5088](apollographql/apollo-server#5088) [Issue #4870](apollographql/apollo-server#4870) [Issue #5006](apollographql/apollo-server#5006)apollo-server-core
: Fix type forformatResponse
function. It never is called with anull
argument, and is allowed to returnnull
. [Issue #5009](apollographql/apollo-server#5009) [PR #5089](apollographql/apollo-server#5089)apollo-server-lambda
: Fix regression in v2.21.2 where thrown errors were replaced by throwing the JS Error class itself. [PR #5085](apollographql/apollo-server#5085)apollo-server-core
: If a client sends a variable of the wrong type, this is now reported as an error with anextensions.code
ofBAD_USER_INPUT
rather thanINTERNAL_SERVER_ERROR
. [PR #5091](apollographql/apollo-server#5091) [Issue #3498](apollographql/apollo-server#3498)apollo-server-lambda
: Explicitly support API GatewaypayloadFormatVersion
2.0. Previously some codepaths did appropriate checks to partially support 2.0 and other codepaths could lead to errors likeevent.path.endsWith is not a function
(especially since v2.21.1). Note that this changes the TypeScript typing of theonHealthCheck
callback passed tocreateHandler
to indicate that it can receive either type of event. If you are using TypeScript and care about having a precise typing for the argument to youronHealthCheck
callback, you should determine which payload format you want to support and writenew ApolloServer<APIGatewayProxyEvent>(...)
ornew ApolloServer<APIGatewayProxyEventV2>(...)
(importing these types fromaws-lambda
), or differentiate between the two formats by checking to see if'path' in event
. [Issue #5084](apollographql/apollo-server#5084) [Issue #5016](apollographql/apollo-server#5016)v2.22.2
apollo-server-core
: Fix a regression in v2.22.0 where combiningapollo-server-core
v2.22 with an older version of an integration package could lead to startup errors likecalled start() with surprising state invoking serverWillStart
. The fix involves changing the semantics of the protectedwillStart
method (which is left in only for backwards compatibility). [Issue #5065](apollographql/apollo-server#5065) [Issue #5066](apollographql/apollo-server#5066) [PR #5073](apollographql/apollo-server#5073)v2.22.1
... (truncated)
Commits
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase
.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
-
@dependabot rebase
will rebase this PR -
@dependabot recreate
will recreate this PR, overwriting any edits that have been made to it -
@dependabot merge
will merge this PR after your CI passes on it -
@dependabot squash and merge
will squash and merge this PR after your CI passes on it -
@dependabot cancel merge
will cancel a previously requested merge and block automerging -
@dependabot reopen
will reopen this PR if it is closed -
@dependabot close
will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually -
@dependabot ignore this major version
will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) -
@dependabot ignore this minor version
will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) -
@dependabot ignore this dependency
will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)