search

FlatbreadLabs / flatbread

Consume relational, flat-file data using GraphQL in any static framework 🫓
57 stars 2 forks source link

fix(deps): update dependency graphql to v16.8.1 [security] #122

Open renovate[bot] opened 1 year ago

renovate[bot] commented 1 year ago

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
graphql 16.5.0 -> 16.8.1 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-26144

Versions of the package graphql from 16.3.0 and before 16.8.1 are vulnerable to Denial of Service (DoS) due to insufficient checks in the OverlappingFieldsCanBeMergedRule.ts file when parsing large queries. This vulnerability allows an attacker to degrade system performance.

Note: It was not proven that this vulnerability can crash the process.

Release Notes

graphql/graphql-js (graphql) ### [`v16.8.1`](https://redirect.github.com/graphql/graphql-js/releases/tag/v16.8.1) [Compare Source](https://redirect.github.com/graphql/graphql-js/compare/v16.8.0...v16.8.1) ##### v16.8.1 (2023-09-19) ##### Bug Fix 🐞 - [#​3967](https://redirect.github.com/graphql/graphql-js/pull/3967) OverlappingFieldsCanBeMergedRule: Fix performance degradation ([@​AaronMoat](https://redirect.github.com/AaronMoat)) ##### Committers: 1 - Aaron Moat([@​AaronMoat](https://redirect.github.com/AaronMoat)) ### [`v16.8.0`](https://redirect.github.com/graphql/graphql-js/releases/tag/v16.8.0) [Compare Source](https://redirect.github.com/graphql/graphql-js/compare/v16.7.1...v16.8.0) #### v16.8.0 (2023-08-14) ##### New Feature 🚀 - [#​3950](https://redirect.github.com/graphql/graphql-js/pull/3950) Support fourfold nested lists ([@​gschulze](https://redirect.github.com/gschulze)) ##### Committers: 1 - Gunnar Schulze([@​gschulze](https://redirect.github.com/gschulze)) ### [`v16.7.1`](https://redirect.github.com/graphql/graphql-js/releases/tag/v16.7.1) [Compare Source](https://redirect.github.com/graphql/graphql-js/compare/v16.7.0...v16.7.1) #### v16.7.1 (2023-06-22) :loudspeaker: Big shout out to [@​phryneas](https://redirect.github.com/phryneas), who managed to reproduce this issue and come up with this fix. ##### Bug Fix 🐞 - [#​3923](https://redirect.github.com/graphql/graphql-js/pull/3923) instanceOf: workaround bundler issue with `process.env` ([@​IvanGoncharov](https://redirect.github.com/IvanGoncharov)) ##### Committers: 1 - Ivan Goncharov([@​IvanGoncharov](https://redirect.github.com/IvanGoncharov)) ### [`v16.7.0`](https://redirect.github.com/graphql/graphql-js/releases/tag/v16.7.0) [Compare Source](https://redirect.github.com/graphql/graphql-js/compare/v16.6.0...v16.7.0) ##### v16.7.0 (2023-06-21) ##### New Feature 🚀 - [#​3887](https://redirect.github.com/graphql/graphql-js/pull/3887) check "globalThis.process" before accessing it ([@​kettanaito](https://redirect.github.com/kettanaito)) ##### Bug Fix 🐞 - [#​3707](https://redirect.github.com/graphql/graphql-js/pull/3707) Fix crash in node when mixing sync/async resolvers (backport of [#​3706](https://redirect.github.com/graphql/graphql-js/issues/3706)) ([@​chrskrchr](https://redirect.github.com/chrskrchr)) - [#​3838](https://redirect.github.com/graphql/graphql-js/pull/3838) Fix/invalid error propagation custom scalars (backport for 16.x.x) ([@​stenreijers](https://redirect.github.com/stenreijers)) ##### Committers: 3 - Artem Zakharchenko([@​kettanaito](https://redirect.github.com/kettanaito)) - Chris Karcher([@​chrskrchr](https://redirect.github.com/chrskrchr)) - Sten Reijers([@​stenreijers](https://redirect.github.com/stenreijers)) ### [`v16.6.0`](https://redirect.github.com/graphql/graphql-js/releases/tag/v16.6.0) [Compare Source](https://redirect.github.com/graphql/graphql-js/compare/v16.5.0...v16.6.0) #### v16.6.0 (2022-08-16) ##### New Feature 🚀 - [#​3645](https://redirect.github.com/graphql/graphql-js/pull/3645) createSourceEventStream: introduce named arguments and deprecate positional arguments ([@​yaacovCR](https://redirect.github.com/yaacovCR)) - [#​3702](https://redirect.github.com/graphql/graphql-js/pull/3702) parser: limit maximum number of tokens ([@​IvanGoncharov](https://redirect.github.com/IvanGoncharov)) ##### Bug Fix 🐞 - [#​3686](https://redirect.github.com/graphql/graphql-js/pull/3686) Workaround for codesandbox having bug with TS enums ([@​IvanGoncharov](https://redirect.github.com/IvanGoncharov)) - [#​3701](https://redirect.github.com/graphql/graphql-js/pull/3701) Parser: allow 'options' to explicitly accept undefined ([@​IvanGoncharov](https://redirect.github.com/IvanGoncharov)) ##### Committers: 2 - Ivan Goncharov([@​IvanGoncharov](https://redirect.github.com/IvanGoncharov)) - Yaacov Rydzinski ([@​yaacovCR](https://redirect.github.com/yaacovCR))

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR was generated by Mend Renovate. View the repository job log.